Ukraine, Russia, Cyber-Warfare, Sanctions, Conti Split, & Blocking Software Updates – PSW #730

"The ban on software updates, specifically, captured the attention of cybersecurity experts. One of the most basic pieces of advice for consumers and companies is to make sure all software is updated to the latest version, because known vulnerabilities are patched out. If Russia was prevented from updating software, this would, in theory, make unpatched systems easier to hack. Dmitri Alperovitch, a cybersecurity veteran and the chairman of the Silverado Policy Accelerator, told Motherboard in an online chat that such a ban is “just going to drive them even more towards open source [software].”"

"From our perspective, this sudden appearance of many different highly motivated actors of wildly differing levels of capability presents a special hazard given the current political environment. Even low-capability actors have a possibility of getting lucky, and if they get lucky in the wrong place, real-world consequences could come into play. These groups may be mistaken for state-sponsored organizations, without understanding what kind of reactions they might trigger. This is our greatest concern, that the response to a misattributed attack will lead to an escalation in the conflict. "

"Features like side-channel attack protection, anti-tampering, and anti-cloning help FPGAs provide hardware-enforced isolation, identity management, and accelerated authentication."

"Reality Leigh Winner is an American former intelligence specialist who, in 2018, was sentenced to five years and three months in prison for unauthorized release of classified information to the media."

"So why bother? The change being made doesn't include useful features that appear in newer versions. The situation came to Torvald's attention when, in order to patch a potential security problem with the kernel's linked-list primitive speculative-execution functions, another problem was revealed in the patch. While fixing this, Torvalds realized that in C99 the iterator passed to the list-traversal macros must be declared in a scope outside of the loop itself. "

"Given the timing of the attack, it certainly raises questions about if it’s at all tied to the recent Russian aggression in Ukraine as the cyber attack began at roughly the exact same time as the Russian incursion into Ukraine. Shortly thereafter, the US announced major sanctions against Russia in retaliation for its actions, so it’s possible that hackers friendly with Russian interests could be counter-attacking, and a huge and important company like Nvidia would certainly be a juicy target. However, several days ago the Secretary of the Department of Homeland Security, Alejandro Mayorkas, said the US doesn’t know of any specific and credible threats targeting US companies at this time, but that companies should be prepared just in case. " - Every breach is not Russia, or is it?

Interesting how this is split: "A member of the Conti ransomware group, believed to be Ukrainian of origin, has leaked the gang’s internal chats after the group’s leaders posted an aggressive pro-Russian message on their official site, on Friday, in the aftermath of Russia’s invasion of Ukraine. The message appears to have rubbed Conti’s Ukrainian members the wrong way, and one of them has hacked the gang’s internal Jabber/XMPP server. Internal logs were leaked earlier today via an email sent to multiple journalists and security researchers."

Good idea? "Namecheap also asked Russian users to move their top-level domains to other providers until March 6 and offered to help those who reach out for assistance with the move. "

Neat C2 framework: "You can run your preferred tool directly in-memory, JavaScript script execution (in-memory without third party dependency), Supported agent types: Powershell (x86/x64), DLL (x86/x64), Executable (x86/x64), Shellcode (x86/x64), Server.exe can be executed in Linux (via dotnet core), The network communication is fully encrypted with a session key not recoverable from the agent binary or from a traffic dump, Communication performed via HTTP/HTTPS, No external dependencies or libraries need to be installed, A powerful command shell, The agent configuration can be updated on the fly (you can change port and protocol too)"

"If your endpoint must be exposed, Docker recommends configuring a docker context in order to only expose the Docker socket to users who are able to log into the Docker host via SSH. An alternative, and also complementary solution to creating a docker context, is a zero-trust infrastructure architecture, where only known or signed containers are allowed to run. In addition, proper zero-trust implementations necessitate that communication between containers is only possible when containers are able to authenticate among themselves via pre-shared certificate."

There is a lot to take in on this one...

The Cybersecurity and Infrastructure Security Agency (CISA) and FBI released new guidance on the WhisperGate and HermeticWiper malware strains in a joint advisory this weekend.

Google has followed Microsoft and Apple’s lead and removed the apps of Russia Today (RT) and Sputnik from its mobile app Store, Play, per Reuters. The two Kremlin-linked media outlets were sanctioned in the European Union following Russia’s invasion of Ukraine.

Cybersecurity firms have found a new data wiper used in destructive attacks today against Ukrainian networks just as Russia moves troops into regions of the country. ESET telemetry shows that it was installed on hundreds of machines in the country.

A new advanced persistent threat campaign dubbed "TiltedTemple" has been spttet, in which hackers are leveraging the sophisticated "SockDetour" backdoor in attacks targeting U.S. defense contractors.

US chipmaker giant Nvidia confirmed today it’s currently investigating an “incident” that reportedly took down some of its systems for two days. The Lapsus$ data extortion group claims they breached and stole 1 TB of data from Nvidia’s network. They also leaked online what they claim to be password hashes for all Nvidia employees.

Ukraine stands up to Russian cyberattacks; Putin could launch revenge attacks against US, expert is concerned that economic sanctions currently being levied against Russia could become justification for the Russian President to authorize revenge cyber-attacks against American computer networks – particularly those within our supply chain.

The Conti ransomware group, alleged to have ties to Russian intelligence, posted a warning Friday that said it was "officially announcing a full support of Russian government." Said it would use "all possible resources to strike back at the critical infrastructures” of any entity that organizes a cyber attack "or any war activities against Russia."

A Ukrainian security researcher has leaked over 60,000 internal messages belonging to the Conti ransomware operation after the gang sided with Russia over the invasion with the Ukraine

Hacktivist group Anonymous has declared “cyber war” against Vladimir Putin’s government following the Russian invasion of Ukraine.

The Anonymous hacker collective claims to have breached the Belarusian Railway’s data-processing network.