Daily Drop(63)
3-1-22
Tuesday, March 01, 2022 // (IG): BB //Weekly Sponsor: ISG
The hacker group Anonymous has waged a cyber war against Russia. How effective could they actually be?
FROM THE MEDIA: A spate of cyber attacks has affected Ukraine’s digital systems since Russia’s invasion began. It soon became clear Russia’s “boots on the ground” approach would be supplemented by a parallel cyber offensive. Last week Ukraine called on its citizens to take to their keyboards and defend the country against Russia’s cyber threat. At the same time, a campaign was underway among the hacktivist collective Anonymous, calling on its global army of cyber warriors to target Russia. Anonymous is a global activist community that has been operating since at least 2008. It brings a potential for significant cyber disruption in the context of Russia’s invasion of Ukraine. The group has previously claimed responsibility for acts of hacktivism against a wide range of targets, including against big businesses and governments. Anonymous’s activities are often aligned to major events, and the group claims to have an “anti-oppression” agenda. The collective has no defined structure or leadership. Acts are simply undertaken under the banner “Anonymous”, with some reports of limited rules of engagement being used to guide actions (although these are likely fluid). As Anonymous is a movement, with no formal legal status or assets, responsibility for actions shifts to individuals. But there remains a fundamental issue of attribution in cyber security incidents, wherein it’s difficult to determine a specific source for any attack.
READ THE STORY: The Conversation
A QUICK LOOK:
Viasat says 'cyber event' is causing broadband outages across Europe
FROM THE MEDIA: Satellite communications giant Viasat said a cyberattack was causing network outages impacting internet service for fixed broadband customers in Ukraine and elsewhere on its European KA-SAT network. The California-based company, which provides high-speed satellite broadband services, told ZDNet the outages were caused by a cyberattack. "Our investigation into the outage continues, but so far we believe it was caused by a cyber event. We are investigating and analyzing our European network and systems to identify the root cause and are taking additional network precautions to prevent further impacts while we attempt to recover service to affected customers," said Christina Phillips, vice president of public relations at Viasat. "Law enforcement and government partners have been notified and are assisting in the ongoing investigation, along with a third-party cybersecurity firm. The investigation is ongoing, but to date, we have no indication that customer data is involved." Netblocks shared information and graphs showing that the incident began on February 24 and has continued since then.
READ THE STORY: ZDnet
A QUICK LOOK:
Toyota Suspends Production at 14 Plants Following Possible Cyber Attack
FROM THE MEDIA: A"system failure" at one of its domestic suppliers early Tuesday, likely due to a cyber attack, has caused Toyota to suspend production at 14 of its plants, the automaker announced via a statement. Though the automaker's official statement makes no mention of one, Nikkei reports that one of Toyota's Tier 1 suppliers, Kojima Industries, seems to have been the target of a cyber attack. "It is true that we have been hit by some kind of cyber attack," the outlet cited an unnamed source close to the matter as saying. "We are still confirming the damage and we are hurrying to respond, with the top priority of resuming Toyota's production system as soon as possible." A total of 28 production lines will be paused due to the failure, which affects vehicles across the Toyota, Daihatsu, and Hino brands, according to Nikkei. In an emailed statement to The Drive, a Toyota spokesperson estimated that the production suspension will impact 13,000 vehicles in Japan, but also noted that the company believes there will be no impact on North American production at this time. It's unclear if Toyota will resume production on Wednesday, as the spokesperson declined to answer this particular question.
READ THE STORY: The Drive
A QUICK LOOK:
Ukraine-Russia Cyber Warzone Splits Cyber Underground
FROM THE MEDIA: A pro-Ukraine Conti member spilled 13 months of the ransomware group’s chats, while cyber actors are rushing to align with both sides. The Russia-Ukraine cyber warzone has split the Conti ransomware gang into warring factions, leading to a Ukrainian member spilling 60,000 of the group’s internal chat messages online. On Monday, vx-underground – an internet collection of malware source code, samples and papers that’s generally considered to be a benign entity – shared on Twitter a message from a Conti member saying that “This is a friendly heads-up that the Conti gang has just lost all their sh•t.” The gang has also, apparently, lost a cache of chat data: the first dump of what the poster promised would be multiple, “very interesting” leaks coming from Conti’s Jabber/XMPP server. “F•ck the Russian government, Glory to Ukraine!” the Conti member, who’s reportedly believed to be Ukrainian, proclaimed. Threatpost advises caution about clicking on any links provided in social media messages: They are, after all, provided by a ransomware group and should be treated with kid gloves.
READ THE STORY: Threatpost // The Record
A QUICK LOOK:
Recorded Future: Russia may retaliate with cyber attacks
FROM THE MEDIA: Retaliatory cyber attacks against Western organizations that support Russian sanctions are a real possibility, according to Recorded Future. During a briefing on Russia's full-scale invasion of Ukraine Monday, Craig Terron and Brian Liston, threat analysts with Recorded Future's Insikt Group, discussed potential threats and attributions, as well as mitigation recommendations. Reports and data analyzed so far, including an increase in activity before the invasion, "suggests that Russia and Western governments are in a standoff waiting to see who conducts a cyber attack first," according to Terron. Advanced persistent threat (APT) groups like Belarusian government-linked UNC1151, as well as the prolific ransomware gang Conti, potentially offer Russia with a way to retaliate. Prior to the invasion, Russian law enforcement announced the arrests of REvil ransomware members and the shutdown of SkyFraud, a forum used to sell stolen credit cards. Now Terron said Russia "no longer" possesses that same incentive to crack down, especially on ransomware groups. "Similar to Russia's use of private military companies, pushing cybercriminal groups targeting the Western organizations is in line with the Russian strategic goals, while providing the Russian government with an opportunity to deny involvement in the attacks," Terron said during the webinar.
READ THE STORY: Techtarget
A QUICK LOOK:
'Most advanced' China-linked backdoor ever, Daxin, raises alarms for cyber-espionage investigators
FROM THE MEDIA: A backdoor in use as recently as November 2021 is the “most advanced piece of malware” ever seen from China-linked spies, according to researchers at Symantec. The cybersecurity company said Monday that the backdoor, dubbed Daxin, is part of “a long-running espionage campaign against select governments and other critical infrastructure targets,” most of them being of strategic interest to China. The malware “appears to be optimized for use against hardened targets, allowing the attackers to burrow deep into a target’s network and exfiltrate data without raising suspicions,” the researchers said. “This isn’t really comparable to any other strains of China-linked malware in our opinion. It’s on another level,” Dick O’Brien, principal editor for the Symantec Threat Intelligence Team, told CyberScoop. “It would be near the same level as malware we’ve seen attributed to Western powers, but maybe not as well put together.” Symantec, part of Broadcomm Software, said it worked with the U.S. government’s new public-private initiative, the Joint Cyber Defense Collaborative, to share information about Daxin. The company cooperated with the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) “to engage with multiple foreign governments targeted with Daxin and assisted in detection and remediation.” A spokesperson for CISA did not immediately offer comment.
READ THE STORY: Cyberscoop // CRN
A QUICK LOOK:
Signal says hacking reports part of 'misinformation campaign'
FROM THE MEDIA: Signal, the encrypted messaging app, said it has not been hacked and that reports that say otherwise are part of a “misinformation campaign.” In a statement, the company pointed to an increase in use in Eastern Europe amid Russia's invasion of Ukraine. Is said rumors it had been hacked were likely an effort to prevent people from using the secure service. “We've had an uptick in usage in Eastern Europe & rumors are circulating that Signal is hacked & compromised. This is false. Signal is not hacked,” the company said in a statement on Monday. “We believe these rumors are part of a coordinated misinformation campaign meant to encourage people to use less secure alternatives.” “We’re seeing these rumors appear in messages forwarded on several different apps,” Signal added. “These rumors are often attributed to official government sources and read “attacks on Signal platform.” This is false and Signal is not under attack.” Ukrainian citizens are fleeing the country amid the invasion, and many inside and outside Ukraine are seeking to communicate through services that are intended to ensure their privacy.
READ THE STORY: The Hill
A QUICK LOOK:
Ukraine creates 'IT army' of civilians to hack Russian websites, 'fight on the cyber front'
FROM THE MEDIA: The Ukrainian government has asked civilians to join the fight against Russia — online. Mykhailo Fedorov, Ukraine's Minister of Digital Transformation, put out a call this weekend asking for civilians with "digital talents" to join the country's "IT army." More than 237,000 people responded by joining a channel on instant message service Telegram where organizers have posted tasks encouraging members to “use any vectors of cyber and DDoS attacks” on dozens of Russian websites. DDoS — or distributed denial of service — attacks render websites unreachable by flooding them with so much traffic they are effectively taken offline. "There will be tasks for everyone," Fedorov said on Twitter. "We continue to fight on the cyber front." The initial targets for the online attacks included a list of Russian government, business and banking sites. A subsequent list included news outlets and urged volunteers to report YouTube channels "who openly lie about the war in Ukraine." The recruiting tactic is a "logical extension" of the country's call for civilian volunteers to fight in the armed conflict, said Michael Daniel, the head of the industry group Cyber Threat Alliance. "While it's sort of unprecedented in cyberspace terms, it's certainly not novel in the history of warfare," said Daniel, who was the former White House cyber coordinator for President Obama.
READ THE STORY: USAtoday
A QUICK LOOK:
Anonymous hacked Vladimir Putin’s luxurious yacht and “sent him to hell”
FROM THE MEDIA: As part of one of its actions after declaring “cyber war” on Russia, Anonymous – the well-known hacker activist group – managed to penetrate the defenses of the Graceful, the US$100 million luxury yacht that Russian President Vladimir Putin has among his possessions, thus compromising information such as their location in the world. It was Anonleaks, part of the group, who claimed responsibility for this attack. The Times reported that the three-deck vessel was sent to Germany’s Blohm-Voss shipyard since September for refurbishment work such as two new decks, hull cleaning and engine reconditioning. However, before the war began, Putin ordered the Graceful to return from Hamburg to Kaliningrad, part of Russian territory. Ryan Gallagher, journalist for Bloomberg, reported that Anonleaks – on behalf of Anonymous – hacked the Automatic Identification System (SAI) by which ships are tracked around the world and managed to make it appear to have crashed on the Snake Island of the Ukraine. The group even changed the name of this place in the geolocator and put it “hell”.
READ THE STORY: D1SBnews
A QUICK LOOK:
Lack of visibility plaguing ICS environments
FROM THE MEDIA: Dragos released its report on cyber threats facing industrial organizations, naming the emergence of three new threat groups targeting ICS/OT environments, including two that have gained access into the OT systems of industrial organizations. The report also shows the number of discovered vulnerabilities in OT systems in 2021 more than doubled over the previous year to 1,703. Ransomware became the number-one attack vector among industrial organizations, with manufacturing as the most targeted sector representing 65%, or 211, of the ransomware cases detected at industrial organizations. The Dragos YIR report is an annual overview and analysis of ICS/OT-focused global threat activities, vulnerabilities, and industry insights and trends. The report aims to share data-informed observations and lessons learned from within the industrial community to give asset owners and operators actionable information and recommendations to help them more fully understand cyber risks to their ICS/OT environments and strengthen their cyber readiness. “While the industrial community has discussed the importance of OT cybersecurity for years, 2021 brought high-profile attacks that showed the real-world outcomes on local communities and global economies,” said Robert M. Lee, CEO of Dragos.
READ THE STORY: Help Net Security
A QUICK LOOK:
Hackers Threaten NVIDIA With 1TB Data Leak Including A Full GeForce Low Hash Rate Bypass
FROM THE MEDIA: This story continues to get stranger. On the 25th, The Telegraph ran a story claiming to have insider knowledge of a hack at NVIDIA HQ. At that time, it wasn't known who was responsible or what their motives were; The outlet speculated that it may have been related to the ongoing conflict in Ukraine. The very next day, however, it came out that the ransomware gang Lapsus was claiming responsibility for the attacks. The group said that it had stolen 1TB of data from NVIDIA's servers and was attempting to ransom it back to NVIDIA for an unspecified (but probably quite large) sum. Amusingly, Lapsus claims that NVIDIA hacked them back, installing ransomware on the thieves' machines. If true, then it was likely an attempt to destroy the stolen data. Said attempt was supposedly fruitless, as even though the ransomware hit was successful, Lapsus claims it had already backed-up the stolen bits. Well, after the story got some traction this weekend, Lapsus made a public announcement on Telegram essentially saying, 'NVIDIA, contact us or we'll release all of your private data'. As part of the data it stole, Lapsus claims to have "the most important stuff, schematics, driver, firmware, etc..." Such a data packet is a tantalizing prize, because things like GPU firmware and driver source code are tightly-controlled trade secrets that likely only a few even inside NVIDIA are allowed to access.
READ THE STORY: Hot Hardware
A QUICK LOOK:
Items of interest
The 5×5—What’s in a cyber strategy?(Article)
FROM THE MEDIA: On January 25, the United Kingdom published its first-ever Government Cyber Security Strategy. The document outlines the panoply of cyber threats facing the United Kingdom and announces measures for protecting UK public services, including increased funding for local authorities and the establishment of a center to improve cybersecurity coordination across the public sector. In the coming year, US President Joe Biden’s administration is expected to release its own national cyber strategy to provide a roadmap for improving US capabilities and defending the United States from cyber threats. Some have speculated that, if the cyber section of President Biden’s Interim National Security Strategic Guidance was any indication, the forthcoming national cyber strategy will likely be largely a continuation of the 2018 version of the document published by the previous administration—the first US national cyber strategy in fifteen years. What’s in a cyber strategy, how should one be created, how can observers gauge its effectiveness, and how might such a strategy be reflected in real-world conflicts? We brought together a group of experts, with experiences from government to academia to industry, to share a range of perspectives. These responses were collected and edited prior to the start of Russia’s massively expanded invasion of Ukraine on February 24 and subsequent developments.
READ THE STORY: Atlantic Council
The 3 ways that Tesla & SpaceX are trying to help Ukraine(Video)
FROM THE MEDIA: As a war rages in Ukraine following an invasion by Russia that began last week, internet service in Ukraine has been experiencing "significant disruptions," according to a report from monitoring group Netblocks. Now, after promising as such on Twitter, SpaceX CEO Elon Musk has provided Ukraine with internet connectivity through the company's Starlink satellites. On Monday (Feb. 28), Mykhailo Fedorov, Ukraine's vice prime minister and the country's minister of digital transformation, shared a photo on Twitter of a batch of additional terminals that can be used to access SpaceX's Starlink satellite internet service. "@ElonMusk, while you try to colonize Mars — Russia try to occupy Ukraine! While your rockets successfully land from space — Russian rockets attack Ukrainian civil people! We ask you to provide Ukraine with Starlink stations and to address sane Russians to stand," Fedorov said. Ukraine's lack of connectivity became so severe that on Saturday (Feb. 26), Fedorov asked SpaceX CEO Elon Musk for assistance on Twitter. Musk was quick to respond, stating that SpaceX had activated its Starlink internet service in Ukraine and that it was sending additional Starlink tech to the country. "Starlink service is now active in Ukraine. More terminals en route," Musk wrote on Twitter. And today, just two days later, Fedorov shared the image of the newly-arrived terminals in Ukraine. "Starlink — here. Thanks, @elonmusk," Fedorov tweeted, to which Musk replied: "You are most welcome." But Musk is making good on his promise in more ways than one. Not only did the technology arrive in Ukraine, but there are already reports showing that it's up and running.
We’ve seen destructive attacks in Ukraine masquerading as ransomware, says Mandiant CEO (Video)
FROM THE MEDIA: Kevin Mandia, Mandiant CEO, joins 'Closing Bell' to discuss what Mandiant is seeing in terms of cyber hostility, what sectors are most vulnerable to cyber attacks and whether companies are preemptively spending on cybersecurity in preparation for an attack from Russia. For access to live and exclusive video
About this Product
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com