A moment’s reflection and the IT Privacy and Security Weekly Update for March 1st, 2022
Daml’ers,
Before we start this week’s update it’s important to acknowledge what is going on in the world around us. There is a physical war involving the attack on Ukraine where the courage and the stamina of the people have engendered new levels of respect and awe, and there is a cyberwar.
Both at the direction of one individual.
Every single inhabitant on this planet will pay for his decision. Some will lose their homes, others their retirement savings, some will pay more for food and fuel, and some will pay the ultimate sacrifice.
Where ever you are in the world, if you can help, please do help.
In the best IT Privacy and Security Weekly Update yet we start by covering current events, before lifting the lid on your home router, going underground (literally), and then finishing high above the Earth.
Let’s start our journey.
Global: Russia Sanctions May Spark Escalating Cyber Conflict
krebsonsecurity.com
Russia Sanctions May Spark Escalating Cyber Conflict – Krebs on Security
President Biden joined European leaders this week in enacting economic sanctions against Russia in response its military invasion of Ukraine. The West has promised tougher sanctions are coming, but experts warn these will almost certainly trigger a...
Michael Daniel heads the Cyber Threat Alliance, an industry group focused on sharing threat intelligence among members. Daniel said there are two primary types of cyber threats the group is concerned about potentially coming in response to sanctions on Russia.
- The first involves what Daniel called “spillover and collateral damage” — a global malware contagion akin to a NotPeyta event — basically some type of cyberweapon that has self-propagating capabilities and may even leverage a previously unknown security flaw in a widely-used piece of hardware or software.
Russia has been suspected of releasing NotPetya, a large-scale cyberattack in 2017 initially aimed at Ukrainian businesses that mushroomed into an extremely disruptive and expensive global malware outbreak.
- “The second level [is that] in retaliation for sanctions or perceived interference, Russia steps up more direct attacks on Western organizations,” Daniel said. “The Russians have shown themselves to be incredibly ingenious and creative in terms of how they come up with targets that seem to catch us by surprise. If the situation escalates in cyberspace, there could be some unanticipated organizations that end up in the crosshairs.”
Russia has already been caught planting malware in the same kind of industrial computers used by power utilities in both Australia and the US.
In May 2021, Russian cybercriminals unleashed a ransomware attack against Colonial Pipeline, a major fuel distributor in the United States. The resulting outage caused fuel shortages and price spikes across the nation. A retaliation from Russia in response to sanctions could make the Colonial Pipeline attack seem paltry by comparison.
So what’s the upshot for you? It’s not only the Ukraine that Russia is taking to war. It’s the whole world.
Global: ‘Whatever it takes’
CyberScoop – 28 Feb 22
In response to Russia threat, US cybersecurity firms offer free services,...
Free upgrades and other cybersecurity services are on the table for organizations in Ukraine and elsewhere.
Est. reading time: 3 minutes
Industrial control systems security firm Dragos, in response to concerns over retaliatory cyber responses outside of Ukraine, on Thursday offered up free cybersecurity support and incident response to cooperative and municipally-owned utilities in the United States, United Kingdom and New Zealand.
The new users will be automatically enrolled in Dragos’ Neighborhood Keeper, a real-time threat detection and information sharing platform that counts the NSA and CISA as partners.
The service will stay free for the next two years.
Whatever it takes, we’ll do it.” Dragos CEO and founder Rob Lee said.
So what’s the upshot for you? This is a little more help with cyber defense, but we think they may end up overwhelmed by the response.
UA: List of Cybersecurity Resources for Ukraine
GitHub
GitHub - r-cybersecurity/list-of-security-resources-for-ukraine: List of...
List of companies or individuals offering cybersecurity services, data, or other tangible assets to assist in Ukraine's defense of its independence. - GitHub - r-cybersecurity/list-of-security-...
This is a dictionary of companies or verified experts offering cybersecurity services, data, or other tangible assets to assist in Ukraine’s defense of its independence. Secondarily, this may also have resources for other entities in responding to the increasing threat of Russia beyond its borders.
So what’s the upshot for you? These donated resources are from companies that have been vetted and will be held to providing the resources they suggest they will provide, so it’s not just a PR exercise.
UA: Free Cyber & Humanitarian Services for Ukraine
docs.google.comFree Cyber & Humanitarian Services for Ukraine
Sheet1 FREE Cybersecurity & Humanitarian Services for Ukraine ⚠ This is a constant work in progress ⚠ Please Twitter DM (@chrisculling) or on LinkedIn (linkedin.com/in/chrisculling) and I'll a...
Chris Culling (@chrisculling) has compiled a spreadsheet titled Free Cyber & Humanitarian Services for Ukraine, which has some additional content for businesses needing cybersecurity services but also has content for individuals needing many essential security/communications resources (free texts/calls/connectivity, VPN accounts for journalists, antimalware, etc.).
This list is exceptionally high quality and extends the services/options available to those in need: Free Cyber & Humanitarian Services for Ukraine - Google Sheets
So what’s the upshot for you? We have already heard from the Slovakian arm Orange and confirm they are delivering on their promise of phone service.
US: US lobbyists rush to cut ties with lucrative Russian contracts
CNN – 26 Feb 22
February 26, 2022 Russia-Ukraine news
Russian President Vladimir Putin announced a military operation in Ukraine early Thursday. A battle is underway for control of Ukraine's capital, Kyiv. The US has warned Russia is seeking to encircle the city, and a Ukrainian official said it has...
In the years leading up to Russia’s attack on Ukraine, US lobbyists have raked in millions of dollars from Russian banks and financial firms paying to push their interests in Washington.
Now, in the wake of the Russian invasion and new sanctions announced by President Joe Biden, many of those lobbying firms are rushing to cut ties and drop their lucrative contracts.
At least six lobbying firms that previously represented now-sanctioned Russian banks and companies tied to a Russian natural gas pipeline terminated their contracts or representation this week, according to statements and federal lobbying disclosures.
The exodus marks the rupture of a Moscow-to-K-Street conduit that has long employed former federal officials and members of Congress of both parties, experts said.
So what’s the upshot for you? Before you start to think better of this hoard of lobbyists in Washington D.C., dropping contracts with fully blocked banks is not a gesture of solidarity with Ukraine, “this is a requirement under US law.” Lobbyists could face prosecution for running afoul of sanctions laws.
Global: Anonymous Activity
CyberNews – 26 Feb 22
Hero hackers claim to have breached Belarusian weapons firm | Cybernews
Anonymous continues cyberwar campaign against Russia and its allies, claiming to have hacked a Belarusian defense contractor and leaked emails belonging to the firm.
the Guardian – 27 Feb 22
Anonymous: the hacker collective that has declared cyberwar on Russia
The group has claimed credit for hacking the Russian Ministry of Defence database, and is believed to have hacked multiple state TV channels to show pro-Ukraine content
Late last Thursday, Anonymous the hacker collective tweeted that it had Vladimir Putin’s regime in its sights. “The Anonymous collective is officially in cyberwar against the Russian government.” #Anonymous #Ukraine— Anonymous (@YourAnonOne) February 24, 2022
In the days since, the group has claimed credit for several cyber incidents including distributed denial of service attacks – where a site is rendered unreachable by being bombarded with traffic – that have brought down government websites and that of Russia Today, the state-backed news service. The DDoS attacks still appeared to be working on Sunday afternoon, with the official sites for the Kremlin and Ministry of Defence inaccessible.
Anonymous also said it had hacked the Ministry of Defence database, while on Sunday it was claimed the group had hacked Russian state TV channels, posting pro-Ukraine content including patriotic songs and images from the invasion.
Then international hacker collective Anonymous appears to have again made good on its declaration of cyberwar against Russia and its allies, apparently exposing 200GB of emails from Belarusian weapons manufacturer Tetraedr.
Anonymous breached the firm’s defenses and released the most recent 1,000 emails from inboxes belonging to Tetraedr employees, passing them over in .EML format to the information transparency platform DDoSecrets.
Tetraedr is a private company founded in 2001 that specializes in making advanced radio-electronic weapons systems. It is based in Belarus, which has provided Vladimir Putin with logistical support in his invasion of Ukraine. Its dictatorial leader, Alexandr Lukashenko, has long been regarded as a puppet of Putin.
So what’s the upshot for you? Anonymous said it is also working “to keep the Ukrainian people online as best we can.”
Jamie Collier, a consultant at US cybersecurity firm Mandiant, stated: “It can be difficult to directly tie this activity to Anonymous, as targeted entities will likely be reluctant to publish related technical data. However, the Anonymous collective has a track record of conducting this sort of activity and it is very much in line with their capabilities.”
RU: Conti ransomware gang chats leaked by pro-Ukraine member
The Record by Recorded Future – 28 Feb 22
Conti ransomware gang chats leaked by pro-Ukraine member
A member of the Conti ransomware gang, believed to be Ukrainian of origin, has leaked the criminal group's internal chats after the gang's administrators showed support for the Kremlin government in the aftermath of Russia's invasion of Ukraine.
intelx.io
Intelligence X
Intelligence X is a search engine and data archive. Search Tor, I2P, data leaks and the public web by email, domain, IP, CIDR, Bitcoin address and more.
A member of the Conti ransomware group, believed to be Ukrainian of origin, has leaked the gang’s internal chats after the group’s leaders posted an aggressive pro-Russian message on their official site, on Friday, in the aftermath of Russia’s invasion of Ukraine.
The message appears to have rubbed Conti’s Ukrainian members the wrong way, and one of them has hacked the gang’s internal Jabber/XMPP server. Internal logs were leaked earlier today via an email sent to multiple journalists and security researchers.
- Messages showing Conti’s relationship with the TrickBot and Emotet malware gangs, from where they often rented access to infected computers to deploy their malware.
- Messages confirming that the TrickBot botnet had shut down earlier this month.
- Messages containing ransom negotiations and payments from companies that had not disclosed a breach or ransomware incident.
- Bitcoin addresses where the Conti gang received payments, which would be useful to law enforcement to track down the gang’s profits.
- Messages showing that the Conti gang attempted to set up demos with security companies like CarbonBlack and Sophos in an attempt to test their tools and find evasion methods to avoid detection.
- The leaker also added that the Jabber/XMPP logs are only the first part of a larger set of Conti-related files they plan to release in the future.
So what’s the upshot for you? Interestingly, several other Russian hacking teams seemed to have immediately toned down their language after this, with some explaining that they are “politically neutral”.
UA: Ukraine Hit with Novel ‘FoxBlade’ Trojan Hours Before Invasion
threatpost.com
Ukraine Hit with Novel ‘FoxBlade’ Trojan Hours Before Invasion
Microsoft detected cyberattacks launched against Ukraine hours before Russia’s tanks and missiles began to pummel the country last week.
“Several hours before the launch of Russian missiles or movement of tanks on February 24, Microsoft’s Threat Intelligence Center (MSTIC) detected a new round of offensive and destructive cyberattacks directed against Ukraine’s digital infrastructure,” Microsoft President and Vice-Chair Brad Smith said.
“We immediately advised the Ukrainian government about the situation, including our identification of the use of a new malware package (which we denominated FoxBlade), and provided technical advice on steps to prevent the malware’s success.”
Smith said that within three hours of discovering FoxBlade, Microsoft had added new signatures to its Defender anti-malware service to detect the exploit.
So what’s the upshot for you? We almost forgot Microsoft could move this quickly.
CN: New Chinese hacking tool found
Reuters – 28 Feb 22
New Chinese hacking tool found, spurring U.S. warning to allies
Security researchers with U.S. cybersecurity firm Symantec said they have discovered a “highly sophisticated” Chinese hacking tool that has been able to escape public attention for more than a decade.
Feb 28 (Reuters) - Security researchers with U.S. cybersecurity firm Symantec said they have discovered a “highly sophisticated” Chinese hacking tool dubbed Daxin, that has been able to escape public attention for more than a decade.
Symantec’s attribution to China is based on instances where components of Daxin were combined with other known, Chinese-linked computer hacker infrastructure or cyberattacks, said Vikram Thakur, a technical director with Symantec.
Symantec researchers said the discovery of Daxin was noteworthy because of the scale of the intrusions and the advanced nature of the tool.
“The most recent known attacks involving Daxin occurred in November 2021. Daxin’s capabilities suggest the attackers invested significant effort into developing communication techniques that can blend in unseen with normal network traffic.”
Daxin’s victims included high-level, non-Western government agencies in Asia and Africa.
“Daxin can be controlled from anywhere in the world once a computer is infected,” said Thakur. “That’s what raises the bar from malware that we see coming out of groups operating from China.”
So what’s the upshot for you? The actors have been successful in not only conducting campaigns but being able to keep their creation undiscovered for over a decade.
IL: Shedding Light on Samsung’s insecure phone security
threatpost.com
Samsung Screwed Up Encryption on 100M Phones
'Serious flaws' in the way Samsung phones encrypt sensitive material, as revealed by academics from Tel Aviv U, are 'embarrassingly bad.'
twitter.comMatthew Green
Samsung shipped an estimated 100 million smartphones with botched encryption, including models ranging from the 2017 Galaxy S8 on up to last year’s Galaxy S21.
Researchers at Tel Aviv University found what they called “severe” cryptographic design flaws that let attackers siphon the devices’ hardware-based cryptographic keys: keys that unlock the treasure trove of security-critical data that’s found in smartphones.
What’s more, cyber attackers could even exploit Samsung’s cryptographic missteps – since addressed in multiple CVEs – to downgrade a device’s security protocols. That would set up a phone to be vulnerable to future attacks
Samsung’s TrustZone splits a phone into two portions, known as the Normal World (for running regular tasks, such as the Android OS) and the Secure World, which handles the security subsystem and where all sensitive resources reside. The Secure World is only accessible to trusted applications used for security-sensitive functions, including encryption.
“Loosely speaking, AES-GCM needs a fresh burst of securely chosen random data for every new encryption operation – that’s not just a ‘nice-to-have’ feature, it’s an algorithmic requirement. In internet standards language, it’s a MUST, not a SHOULD.
That fresh-every-time randomness (12 bytes’ worth at least for the AES-GCM cipher mode) is known as a ‘nonce,’ short for Number Used Once – a jargon word that cryptographic programmers should treat as a command, not merely as a noun.”
er, but Samsung’s cryptographic code didn’t enforce that requirement. So by exploiting this loophole, the researchers were able to pull off a feat that’s “supposed to be impossible, and the team was able to extract cryptographic secrets from inside the secure hardware.”
Matthew Green, cryptographer, security technologist, and Associate Professor of Computer Science at the Johns Hopkins Information Security Institute, explained on Twitter that Samsung incorporated “serious flaws” in the way its phones encrypt key material in TrustZone, calling it “embarrassingly bad.”
So what’s the upshot for you? “There is always pushback in the security research community against doing “attack work” that finds these vulnerabilities. Which is reasonable but too bad since the alternative is a company like Samsung f*rting your secret keys everywhere.” says Matthew Green
UK: Think you can maintain your privacy underground? Think again.
phys.org
Sensor breakthrough paves way for groundbreaking map of world under Earth...
An object hidden below ground has been located using quantum technology—a long-awaited milestone with profound implications for industry, human knowledge and national security.
The quantum gravity gradiometer, which was developed under a contract for the UK Ministry of Defense and in the UKRI-funded Gravity Pioneer project, was used to find a tunnel buried outdoors in real-world conditions one meter below the ground surface. It wins an international race to take the technology outside.
The sensor works by detecting variations in microgravity using the principles of quantum physics, which is based on manipulating nature at the sub-molecular level.
The success opens a commercial path to significantly improved mapping of what exists below ground level.
This will mean:
- Reduced costs and delays to construction, rail, and road projects.
- Improved prediction of natural phenomena such as volcanic eruptions.
- Discovery of hidden natural resources and built structures.
- Understanding archaeological mysteries without damaging excavation.
So what’s the upshot for you? “Detection of ground conditions such as mine workings, tunnels, and the unstable ground is fundamental to our ability to design, construct and maintain housing, industry, and infrastructure. The improved capability that this new technology represents could transform how we map the ground and deliver these projects.”
US: NVIDIA Confirms Employee Credentials Stolen in Cyberattack
securityweek.com
NVIDIA Confirms Employee Credentials Stolen in Cyberattack | SecurityWeek.Com
NVIDIA confirms employee credentials were stolen during a cyberattack on February 23 and that the attackers have started leaking the information online.
"NVIDIA this week acknowledged that employee credentials were stolen during a cyberattack on February 23 and confirmed the attackers have started leaking the information online.
The compromise occurred on February 23 and impacted certain “IT resources,” an NVIDIA spokesperson told SecurityWeek.
“Shortly after discovering the incident, we further hardened our network, engaged cybersecurity incident response experts, and notified law enforcement,” the NVIDIA spokesperson added.
While the investigation into the incident continues, NVIDIA says that it hasn’t found evidence that ransomware was deployed on its network."
So what’s the upshot for you? NVIDIA is still assessing the extent of the intrusion.
EU: Viasat Attributes Outage to "Cyber Event"
Infosecurity Magazine – 1 Mar 22
Viasat Attributes Outage to
Disruption of satellite internet service in Ukraine and Europe began on day one of Russian invasion
The timing of the disruption coincides with Russian President Vladimir Putin’s authorization of “special military operations” in Ukraine, with multiple ISPs reporting outages since the early hours of February 24.
PaxEX.Aero confirmed three outages but said as many as six may have occurred. Impacted ISPs include one in France and EUSANET in Germany
So what’s the upshot for you? “Viasat is experiencing a partial network outage impacting internet service for fixed broadband customers in Ukraine and elsewhere on our European KA-SAT network."
Global: SpaceX shipment of Starlink satellite-internet dishes arrives in Ukraine, a government official says
twitter.comMykhailo Fedorov
A shipment of SpaceX’s Starlink satellite-internet dishes arrived in Ukraine on Monday, less than 48 hours after CEO Elon Musk announced the company would send support, according to a top official in the nation’s government.
Fedorov wrote on Twitter: “@elonmusk, while you try to colonize Mars – Russia try to occupy Ukraine! While your rockets successfully land from space – Russian rockets attack Ukrainian civil people! We ask you to provide Ukraine with Starlink stations and to address sane Russians to stand.”
Yesterday, Fedorov posted a photo of a truck full of Starlink equipment along with the message: “Starlink – here. Thanks, @elonmusk.”
Each Starlink kit includes a user terminal to connect to the satellites, a mounting tripod, and a Wi-Fi router. It’s not known how many kits SpaceX is sending to support Ukraine.
So what’s the upshot for you? Some on Twitter were most impressed that the dishes shipped on time, others impressed by the fact that the dishes appear to be the older heated, curved design that neighborhood cats so enjoy napping in.
Global: Your home Router Is Collecting Your Data. Here’s What to Know, and What to Do About It
CNET
Your Router Is Collecting Your Data. Here's What to Know, and What to Do...
All of today's top Wi-Fi routers collect and share user data for marketing purposes, but only some allow you to opt out.
https://dd-wrt.com/support/router-database/
Almost all of the web traffic in your home passes through your router, so maybe it’s difficult to imagine that it isn’t tracking the websites that you’re visiting as you browse. Every major manufacturer I looked into discloses that it collects some form of user data for marketing – but almost none of the policies I read included any language that explicitly answered the question of whether or not a user should expect their web history to be logged or recorded.
The sole exception? Google. “Google Wifi and Nest Wifi devices do not track the websites you visit or collect the content of any traffic on your network,” Google’s support page for Nest Wifi privacy reads. “However, your Google Wifi and Nest Wifi devices do collect data such as Wi-Fi channel, signal strength, and device types.”
CommScope notes that the way it handles and shares data used for performance analytics with its Arris Surfboard routers constitutes a sale of personal data under California law.
TP-Link said that it doesn’t collect user browsing history for marketing purposes, but the company muddies the waters with confusing and contradictory language in its privacy policies saying that browser history is collected using cookies, tags, pixels, and other similar technologies, anonymized, and then shared internally within the TP-Link group for direct marketing purposes.
With respect to routers, all of the companies I looked at acknowledged that they share user data with third parties for marketing purposes. The majority of these companies claim that these are in-house third parties bound by the company’s policies, and all of the companies I reached out to said that they don’t share data with third parties for their own, independent purposes. Still, that’s a tall trust ask for privacy-conscious consumers.
This finally brings us to Eero. The company does not offer an option for opting out of data collection and instead tells users that the only way to stop its devices from gathering data is to not use them.
“You can stop all collection of information by the Application(s) by uninstalling the Application(s) and by unplugging all of the Eero Devices,” the Eero privacy policy notes, then you must ask Eero to delete your personal data from its records by emailing privacy@eero(dot)com
So what’s the upshot for you? Can I opt-out of data collection altogether? With some manufacturers, the answer is yes. With others, you can request to view or delete the data that’s been collected about you. Generally, none make it easy to find the opt-out details.
There’s simply no good way to know for certain where your data will end up or what it will be used for, and privacy policies will only tell you so much about what data is being collected.
For your next router, you may want to consider flashing it with open-source router configuration software like DD-WRT. See our notes in the blog for details.
Space: The Urgency To Cyber-Secure Space Assets
Forbes
The Urgency To Cyber-Secure Space Assets
Space is an emerging and critical cybersecurity frontier that we are becoming increasingly depend on for both our commerce and security. There is an urgency to move forward to cyber-secure space assets in a rapid, ambitious, and focused path.
Cyber expert Josh Lospinoso succinctly describes why the threat is not theoretical in a recent informative article in The Hill. He notes that “Attacks have been going on for many years and have recently ramped up.
In 2018, hackers infected U.S. computers that control satellites.
Iranian hacking groups tried to trick satellite companies into installing malware in 2019.
One report concluded that Russia has been hacking the global navigation satellite system (GNSS) and sending spoofed navigation data to thousands of ships, throwing them off course.
While there have not been any public reports of direct hacks on satellites, vulnerabilities in-ground stations have been exploited to try to alter satellite flight paths, among other aims.”
China also has the capability to act offensively in space, digitally and kinetically.
As far back as 2014, the network of the National Oceanic and Atmospheric Administration (NOAA), was hacked by China. This event disrupted weather information and impacted stakeholders worldwide.
There were approximately 14 other satellite attacks before the NOAA attack.
Eight years later, China is now perceived as even more of a threat. Top U.S. space officials recently said that it is likely the Russian invasion of Ukraine will extend to space, predicting continued GPS jamming and spoofing and urging the military and commercial space operators to be prepared for possible cyberattacks.
National Reconnaissance Office Director Chris Scolese urged attendees at a National Security Space Association conference to “Ensure that your systems are secure and that you’re watching them very closely because we know that the Russians are effective cyber actors.” US space officials expect Russia, Ukraine conflict to extend into space (c4isrnet(dot)com)
So what’s the upshot for you? Russian boosters are used to keep the international space station (ISS) in orbit.
The war is already impacting that maintenance too. The chief of Russia’s space agency said on Twitter: “If you block cooperation with us, who will save the ISS from an uncontrolled deorbit and fall into the United States or Europe?”
He added: “There is also the option of dropping a 500-ton structure to India and China. Do you want to threaten them with such a prospect? The ISS does not fly over Russia, so all the risks are yours. Are you ready for them?”
That’s it for this week. Stay safe, stay, secure, look to the heavens before you go out… and we hope to see you all in se7en.
rps:The war is already impacting that maintenance too. The chief of Russia’s space agency said on Twitter: “If you block cooperation with us, who will save the ISS from an uncontrolled deorbit and fall into the United States or Europe?”
I was thinking about this yesterday, as it is one of the most high-profile US/RU JVs. I am confident that the CIS would disembark it’s Cosmonauts to make a very expensive and highly-visible point.
All in all, an excellent newsletter and I think the safest thing to do, is turn everything off. It will make Life & Work difficult but it looks like that there can only be real Security through Absence.
Interesting point about the Routers especially when most of us are working remotely…
