Tuesday, March 29, 2022 // (IG): BB //Weekly Sponsor: DiyGarage SoCal
Leaked Details of the Lapsus$ Hack Make Okta’s Slow Response Look More Bizarre
FROM THE MEDIA: IN THE WEEK since the digital extortion group Lapsus$ first revealed that it had breached the identity management platform Okta through one of the company's sub processors, customers and organizations across the tech industry have been scrambling to understand the true impact of the incident. The sub processor, Sykes Enterprises, which is owned by the business services outsourcing company Sitel Group, confirmed publicly last week that it suffered a data breach in January 2022. Now, leaked documents show Sitel's initial breach notification to customers, which would include Okta, on January 25, as well as a detailed “Intrusion Timeline” dated March 17. The documents raise serious questions about the state of Sitel/Sykes' security defenses prior to the breach, and they highlight apparent gaps in Okta's response to the incident. Okta and Sitel both declined to comment about the documents, which were obtained by independent security researcher Bill Demirkapi and shared with WIRED. When the Lapsus$ group published screenshots claiming it had breached Okta on March 21, the company says that it had already received Sitel's breach report on March 17. But after sitting with the report for four days, Okta seemed to be caught flat-footed when the hackers took the information public.
READ THE STORY: Wired
A QUICK LOOK:
Lapsus$ and SolarWinds hackers both use the same old trick to bypass MFA
FROM THE MEDIA: Not all MFA is created equal, as script kiddies and elite hackers have shown recently. Multifactor authentication (MFA) is a core defense that is among the most effective at preventing account takeovers. In addition to requiring that users provide a username and password, MFA ensures they must also use an additional factor—be it a fingerprint, physical security key, or one-time password—before they can access an account. Nothing in this article should be construed as saying MFA isn’t anything other than essential. That said, some forms of MFA are stronger than others, and recent events show that these weaker forms aren’t much of a hurdle for some hackers to clear. In the past few months, suspected script kiddies like the Lapsus$ data extortion gang and elite Russian-state threat actors (like Cozy Bear, the group behind the SolarWinds hack) have both successfully defeated the protection. The strongest forms of MFA are based on a framework called FIDO2, which was developed by a consortium of companies balancing the needs of both security and simplicity of use. It gives users the option of using fingerprint readers or cameras built into the devices or dedicated security keys to confirm they are authorized to access an account. FIDO2 forms of MFA are relatively new, so many services for both consumers and large organizations have yet to adopt them. That’s where older, weaker forms of MFA come in.
READ THE STORY: Arstechnica
A QUICK LOOK:
How Nokia enabled Russian hacking — and made millions doing it
FROM THE MEDIA: Along with dozens of other companies complying with sanctions against Russia, Nokia suspended deliveries to clients in Russia on March 1. But it left behind software and equipment that can now be seen as aiding the war in Ukraine, according to the New York Times. For many years, the Finnish network equipment-maker supplied Vimpelcom, Megafon and Tele2 in Russia, but a vast proportion of its business there came from MTS, Russia’s largest telecom service provider. Nokia provided equipment and services to link Vladimir Putin’s System for Operative Investigative Activities (SORM), to MTS, according to 75,000 company documents read by the Times. “While Nokia does not make the tech that intercepts communications, the documents lay out how it worked with state-linked Russian companies to plan, streamline and troubleshoot the SORM system’s connection to the MTS network,” the paper says. “Russia’s main intelligence service, the FSB, uses SORM to listen in on phone conversations, intercept emails and text messages, and track other internet communications.” The Times also indicates that Nokia was aware of what Russia was doing with the tech, which was worth hundreds of millions of dollars to the publicly listed company over many years. It is not by any means the only such business trading with the country, inadvertently helping in some way to spy on dissidents and political rivals.
READ THE STORY: NP
A QUICK LOOK:
CISA Urges Mitigation After White House Warns of Russian Cyber Incidents
FROM THE MEDIA: The Cybersecurity and Infrastructure Security Agency (CISA) is calling on all organizations big and small to take immediate action in guarding their networks against possible cyberattacks by Russia. Last week the Biden-Harris Administration issued a warning that Russia may engage in malicious cyber activity as a result of the recent economic sanctions imposed by the U.S. following the Russian invasion of Ukraine. According to CISA Director Jen Easterly, every business and entity should consider themselves at risk and be prepared for a possible cyber incident. CISA, along with other federal agencies such as the Department of Energy (DOE) and the FBI, recently participated in a call providing an overview of the current cyber risk landscape. CISA encouraged everyone to take the necessary steps to keep their networks safe. Organizations can help limit damage and prevent further attacks when they report cyber incidents quickly, the agency said. “Resilience is crucial — I’m encouraging everyone to be prepared to respond so we can recover rapidly by assuming disruptive cyber activity will occur,” Easterly said.
READ THE STORY: Government CIO Media
A QUICK LOOK:
Musk's Starlink now aiding Ukrainian military strikes
FROM THE MEDIA: Elon Musk's Starlink network of satellites was marketed as a means to provide internet access in hard-to-reach locations. Now these powerful devices are being used to guide Ukrainian drone strikes, German newspaper DW reported. "We use Starlink equipment and connect the drone team with our artillery team," one Ukrainian officer told Britain’s The Times, adding that his unit uses Starlink to connect between drones flying surveillance and artillery batteries firing on Russian positions. "If we use a drone with thermal vision at night, the drone must connect through Starlink to the artillery guy and create target acquisition," the officer said. Starlink has also been a major source of internet for Ukrainians otherwise cut off from the world, DW reported. This has led to cyber-duels between the company and Russia, as the invading forces have attempted to jam Starlink receivers and the satellite company has issued software updates to bypass them, according to DW. Today we’ll take a stop in Colorado, which is coming to terms with the fact that fire seasons are now year-round. Then we’ll return to Europe to look at how Russia’s invasion of Ukraine, and the West’s response, has threatened climate cooperation.
READ THE STORY: The Hill
A QUICK LOOK:
Major Ukraine Internet Provider Gets Hit With A Cyberattack
FROM THE MEDIA: Ukraine's main internet provider is the latest victim of a cyberattack, over a month into the conflict with Russia. Network cables are plugged in a server room on November 10, 2014 in New York City. U.S. President Barack Obama called on the Federal Communications Commission to implement a strict policy of net neutrality and to oppose content providers in restricting bandwidth to customers. According to a report by Yahoo, the company Ukrtelecom reported a cyberattack targeting its core infrastructure. This is enough to potentially disrupt the company's service nationwide, which is why it is being considered the "most severe" breach ever recorded since the war began. The cyberattack was further confirmed by Ukrtelecom chief executive Yuriy Kurmaz. He says that they've been "forced" to restrict internet access to a lot of their enterprise and private consumers due to the attack. This decision was made so their services, which are being used by Ukraine's armed forces, won't be disrupted in any way. Despite that, though, Kurmaz says that they have already fought back the attack. As a result, a gradual resumption of internet service across the war-torn country is expected within the foreseeable future. Cybersecurity specialists from the Ukrainian government had a helping hand in fighting back against the attack.
READ THE STORY: Tech Times
A QUICK LOOK:
Space systems as critical infrastructure. Comment on proposed US SEC cyber risk management and disclosure rules
FROM THE MEDIA: As Via Satellite notes, the White House has been debating for months whether critical infrastructure cyberspace includes, well, literal space. During the Value of Space Summit hosted by Space ISAC and The Aerospace Corporation in October, Lockheed Martin senior fellow Dr. Dawn Beyer stated, “I’m surprised that the United States is still talking about whether or not space should be part of the critical infrastructure — I don’t think our adversaries are struggling with that question,” referencing China’s reported recent testing of a nuclear-capable hypersonic missile. Experts worry that rivals see space as a chink in the US’s cybersecurity armor, especially distressing as the ongoing war in Ukraine has officials warning of almost inevitable Russian cyberaggression. Samuel Visner, technical fellow for MITRE, explained, “Our adversaries see space as critical to their national interest. Frankly, I think they see [space] as a vulnerability to our national interest that they can exploit in support of their national interest. While we are considering this issue, our adversaries and potential adversaries are being active.” The US Cybersecurity and Infrastructure Security Agency has designated sixteen critical infrastructure sectors, and though space has not been included in this list, space tech supports many of these sectors, including communications, defense industrial base, and food and agriculture.
READ THE STORY: The Cyberwire
A QUICK LOOK:
IcedID malware, in the hijacked email thread, with the insecure Exchange servers
FROM THE MEDIA: Cyber-criminals are using compromised Microsoft Exchange servers to spam out emails designed to infect people's PCs with IcedID, IcedID is bad news because if you're tricked into running it, it opens a backdoor allowing further malware, such as ransomware, to be injected into your system. Marks typically receive an encrypted .zip as an attachment, with the password in the email text, and instructions to open the contents of the archive. Doing so starts a downloader that deploys IcedID on the computer. IcedID itself isn't new. IBM's X-Force threat hunters said they discovered the Windows software nasty back in 2017, when it was primarily designed to steal victims' online banking credentials. It popped up last year when crooks hijacked a BP Chargemaster domain to spam out emails to spread IcedID. On Monday, Fortinet's FortiGuard Labs said it observed an email sent to a Ukrainian fuel company with a .zip containing a file that when opened drops IcedID on the PC. Security vendor Intezer also on Monday said it had seen unsecured Microsoft Exchange servers spamming out IcedID emails. The team said they discovered the campaign in mid-March, and said it targets energy, healthcare, law, and pharmaceutical organizations.
READ THE STORY: The Register
A QUICK LOOK:
Russian cyberattacks are a threat. But so is Americans’ fear of shortages
FROM THE MEDIA: Reports of Russian cyberattacks against our domestic infrastructure have raised alarms and calls for heightened vigilance across the United States’ public and private sectors. Given that the U.S. and its allies have imposed significant economic sanctions against Russia for its attack of Ukraine, state-sponsored Russian cyberattacks are likely; they may be viewed as an effective form of retaliation. Domestic infrastructure, including our nation’s power grid, food supply chain, water systems, financial system and government agencies, have all been targets of cyberattacks for years. For example, last spring, ransomware attacks against the Colonial pipeline and meat producer JBS temporarily disrupted fuel and food supply chains. The attacks were traced to an organization based in Russia. Its motives were clearly financial — secure payments from large organizations with deep pockets that cannot afford such a disruption to their operations and supply chains. Are cyberthreats from state-sponsored Russian operatives potentially more lethal? The problem is differentiating between state-sponsored attacks and attacks by cybercriminals. Their motives may be different, but the tools that they use still require penetrating cybersecurity walls through weak links, such as by exploiting vulnerabilities in multifactor authorization protocols.
READ THE STORY: Chicago Tribune
A QUICK LOOK:
Belarusian Cyber Partisans Explain Why They’re Hacking to Stop Russia
FROM THE MEDIA: The Belarusian Cyber Partisans were trying to buy some time. By hacking into systems of the Belarusian rail network, they hoped to disrupt the movement of Russian troops who eventually planned to cross over into Ukraine. The hacking group appeared to be successful; trains were delayed. Over the last few months, and in the wake of Russia’s invasion of Ukraine, the Cyber Partisans have become one of the most high-profile hacktivist groups in the world. With the current flurry of hacktivism activity around Ukraine from the likes of Anonymous and other independent groups, the Cyber Partisans still stand as a leader, penetrating targets that could have a real, tangible effect in the physical world. In a new on-camera interview with VICE World News, Yuliana Shemetovets, spokesperson for the Cyber Partisans, explains the group’s motivations, goes over some of their most high-profile and impactful hacks, and dives into why much of this hacking was possible in the first place. One reason was that Alexander Grigoryevich Lukashenko, the president of Belarus, “prefers loyalism over professionalism,” Shemetovets said. She pointed to how some of the Belarusian railway system computers were using Windows XP, a horrendously outdated operating system whose presence can make it easier for hackers to break into machines running it.
STORY: VICE
A QUICK LOOK:
Managing U.S.-China Tensions Over Public Cyber Attribution
FROM THE MEDIA: “Managing U.S.-China Tensions Over Public Cyber Attribution” is the second joint research publication produced by the Shanghai Institutes for International Studies (SIIS) in collaboration with the Carnegie Endowment for International Peace (CEIP). The first joint publication, “China-U.S. Cyber-Nuclear C3 Stability,” launched in April 2021, has presented an insightful analysis on China-U.S. cyber and nuclear security, offering many valuable policy recommendations for both governments, thus garnering high attention from the policy community and academia in both China and the United States. Inspired by the first concerted effort, SIIS and CEIP task forces carried out further studies and presented their latest findings in this compilation. With high respect, I applaud their unremitting efforts and collaborative spirit in accomplishing this informative publication of valuable academic and policy reference. Public attribution is an important yet sensitive issue in cyberspace interaction between China and the United States.
READ THE STORY: Carnegie Endowment
A QUICK LOOK:
Items of interest
An interview with the chief technical officer at Ukrtelecom(Article)
FROM THE MEDIA: With roots in a military experiment, the internet is now an essential tool during war—for both civilians and the army. Prior to Russia’s invasion of Ukraine, local officials warned that Russia might try to disconnect Ukraine’s internet. But as Russian tanks rolled into the country on Feb. 24, subsequent attacks didn’t have a significant effect on the country’s internet. Some analysts argue the Russian military isn’t attacking online infrastructure because it needs the Ukrainian internet to stay connected or gather intelligence. Others say that Ukraine has managed to build a resilient infrastructure maintained by local internet providers. That’s what Dmytro Mykytiuk, chief technical officer of Ukrtelecom, a major provider of mobile and broadband internet in the country, told The Record in a recent interview—shortly before Ukrtelecom appeared to suffer a cyberattack that dramatically curtailed its service. In a comment after news about the cyberattack broke, Ukrtelecom confirmed to The Record that “technical problems affected most” of their users and they are working to restore service as fast as possible. Ukrtelecom was previously a state-owned company, controlling the country’s telecommunication market. In 2013, a 24,000-employee behemoth relying on obsolete technology was acquired by Ukraine’s richest person Rinat Akhmetov. He later was sued by the state for investing too little in the development of its business, but won a lawsuit in 2019. At the beginning of 2021, the company had 203,000 broadband internet users, bringing it $33 million in revenue. The Ukrainian effort has focused on cutting off invaders from communication networks, while keeping stable internet available for those who hide in bomb shelters, study online in their basements, or want to ask their friends and relatives in the occupied territories the most important question—“Yak ty?” (“How are you?” in Ukrainian).
READ THE STORY: The Record
How China Built Cyber-espionage Chinese Hackers(Video)
Recently, the "latest sophisticated type of malware" believed to be used by cybercriminals was uncovered. The sneaky back door, codenamed Daxin, was utilized in spying activities on governments all around the globe for a decade before this was discovered. The newly found malware, however, is not really one. It's just one more proof that China's ten-year goal to become a cyber giant is paying dividends. Whereas Beijing's attackers were originally renowned for basic smash-and-grab tactics, they are now one of the finest in the world because of a policy of strict regulation, large investment, and unique infrastructure for providing hacking tools to the government. This shift has been occurring for years, and it is being fueled by a variety of factors. This shift is in the works for a long time, and it is being led from the executive level. President Xi Jinping launched a reform of China's intelligence services shortly after holding the chair, prioritizing cyberwarfare and initiating a "fusion" of military and civilian institutions aimed at enhancing the country's cyber abilities.
Russia’s Cyber Capabilities(Video)
FROM THE MEDIA: As the Ukraine-Russia war continues to escalate, countries, companies, and individuals have growing concerns about the global impact, what it means to them, and what they should be doing now and in the future. Equipped with this knowledge, attendees will better understand Russian capabilities, learn to limit the effectiveness of known disinformation and cyber-attack methodologies, and begin developing a customized threat hunting strategy for defeating Russian-sponsored attackers and supporters.
About this Product
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com