Daml’ers,
Before we start this week’s update it’s important to acknowledge what is going on in the world around us. There is a physical war involving the attack on Ukraine where the courage and the stamina of the people have engendered new levels of respect and awe, and there is a cyberwar.
Both at the direction of one individual.
Every single inhabitant on this planet will pay for his decision. Some will lose their homes, others their retirement savings, some will pay more for food and fuel, and some will pay the ultimate sacrifice.
Where ever you are in the world, if you can help, please do help.
In the best IT Privacy and Security Weekly Update yet we start by covering current events, before lifting the lid on your home router, going underground (literally), and then finishing high above the Earth.
Let’s start our journey.
Global: Russia Sanctions May Spark Escalating Cyber Conflict
Michael Daniel heads the Cyber Threat Alliance, an industry group focused on sharing threat intelligence among members. Daniel said there are two primary types of cyber threats the group is concerned about potentially coming in response to sanctions on Russia.
- The first involves what Daniel called “spillover and collateral damage” — a global malware contagion akin to a NotPeyta event — basically some type of cyberweapon that has self-propagating capabilities and may even leverage a previously unknown security flaw in a widely-used piece of hardware or software.
Russia has been suspected of releasing NotPetya, a large-scale cyberattack in 2017 initially aimed at Ukrainian businesses that mushroomed into an extremely disruptive and expensive global malware outbreak.
- “The second level [is that] in retaliation for sanctions or perceived interference, Russia steps up more direct attacks on Western organizations,” Daniel said. “The Russians have shown themselves to be incredibly ingenious and creative in terms of how they come up with targets that seem to catch us by surprise. If the situation escalates in cyberspace, there could be some unanticipated organizations that end up in the crosshairs.”
Russia has already been caught planting malware in the same kind of industrial computers used by power utilities in both Australia and the US.
In May 2021, Russian cybercriminals unleashed a ransomware attack against Colonial Pipeline, a major fuel distributor in the United States. The resulting outage caused fuel shortages and price spikes across the nation. A retaliation from Russia in response to sanctions could make the Colonial Pipeline attack seem paltry by comparison.
So what’s the upshot for you? It’s not only the Ukraine that Russia is taking to war. It’s the whole world.
Global: ‘Whatever it takes’
Industrial control systems security firm Dragos, in response to concerns over retaliatory cyber responses outside of Ukraine, on Thursday offered up free cybersecurity support and incident response to cooperative and municipally-owned utilities in the United States, United Kingdom and New Zealand.
The new users will be automatically enrolled in Dragos’ Neighborhood Keeper, a real-time threat detection and information sharing platform that counts the NSA and CISA as partners.
The service will stay free for the next two years.
Whatever it takes, we’ll do it.” Dragos CEO and founder Rob Lee said.
So what’s the upshot for you? This is a little more help with cyber defense, but we think they may end up overwhelmed by the response.
UA: List of Cybersecurity Resources for Ukraine
This is a dictionary of companies or verified experts offering cybersecurity services, data, or other tangible assets to assist in Ukraine’s defense of its independence. Secondarily, this may also have resources for other entities in responding to the increasing threat of Russia beyond its borders.
So what’s the upshot for you? These donated resources are from companies that have been vetted and will be held to providing the resources they suggest they will provide, so it’s not just a PR exercise.
UA: Free Cyber & Humanitarian Services for Ukraine
Chris Culling (@chrisculling) has compiled a spreadsheet titled Free Cyber & Humanitarian Services for Ukraine, which has some additional content for businesses needing cybersecurity services but also has content for individuals needing many essential security/communications resources (free texts/calls/connectivity, VPN accounts for journalists, antimalware, etc.).
This list is exceptionally high quality and extends the services/options available to those in need: Free Cyber & Humanitarian Services for Ukraine - Google Sheets
So what’s the upshot for you? We have already heard from the Slovakian arm Orange and confirm they are delivering on their promise of phone service.
US: US lobbyists rush to cut ties with lucrative Russian contracts
In the years leading up to Russia’s attack on Ukraine, US lobbyists have raked in millions of dollars from Russian banks and financial firms paying to push their interests in Washington.
Now, in the wake of the Russian invasion and new sanctions announced by President Joe Biden, many of those lobbying firms are rushing to cut ties and drop their lucrative contracts.
At least six lobbying firms that previously represented now-sanctioned Russian banks and companies tied to a Russian natural gas pipeline terminated their contracts or representation this week, according to statements and federal lobbying disclosures.
The exodus marks the rupture of a Moscow-to-K-Street conduit that has long employed former federal officials and members of Congress of both parties, experts said.
So what’s the upshot for you? Before you start to think better of this hoard of lobbyists in Washington D.C., dropping contracts with fully blocked banks is not a gesture of solidarity with Ukraine, “this is a requirement under US law.” Lobbyists could face prosecution for running afoul of sanctions laws.
Global: Anonymous Activity
Late last Thursday, Anonymous the hacker collective tweeted that it had Vladimir Putin’s regime in its sights. “The Anonymous collective is officially in cyberwar against the Russian government.” #Anonymous #Ukraine— Anonymous (@YourAnonOne) February 24, 2022
In the days since, the group has claimed credit for several cyber incidents including distributed denial of service attacks – where a site is rendered unreachable by being bombarded with traffic – that have brought down government websites and that of Russia Today, the state-backed news service. The DDoS attacks still appeared to be working on Sunday afternoon, with the official sites for the Kremlin and Ministry of Defence inaccessible.
Anonymous also said it had hacked the Ministry of Defence database, while on Sunday it was claimed the group had hacked Russian state TV channels, posting pro-Ukraine content including patriotic songs and images from the invasion.
Then international hacker collective Anonymous appears to have again made good on its declaration of cyberwar against Russia and its allies, apparently exposing 200GB of emails from Belarusian weapons manufacturer Tetraedr.
Anonymous breached the firm’s defenses and released the most recent 1,000 emails from inboxes belonging to Tetraedr employees, passing them over in .EML format to the information transparency platform DDoSecrets.
Tetraedr is a private company founded in 2001 that specializes in making advanced radio-electronic weapons systems. It is based in Belarus, which has provided Vladimir Putin with logistical support in his invasion of Ukraine. Its dictatorial leader, Alexandr Lukashenko, has long been regarded as a puppet of Putin.
So what’s the upshot for you? Anonymous said it is also working “to keep the Ukrainian people online as best we can.”
Jamie Collier, a consultant at US cybersecurity firm Mandiant, stated: “It can be difficult to directly tie this activity to Anonymous, as targeted entities will likely be reluctant to publish related technical data. However, the Anonymous collective has a track record of conducting this sort of activity and it is very much in line with their capabilities.”
RU: Conti ransomware gang chats leaked by pro-Ukraine member
A member of the Conti ransomware group, believed to be Ukrainian of origin, has leaked the gang’s internal chats after the group’s leaders posted an aggressive pro-Russian message on their official site, on Friday, in the aftermath of Russia’s invasion of Ukraine.
The message appears to have rubbed Conti’s Ukrainian members the wrong way, and one of them has hacked the gang’s internal Jabber/XMPP server. Internal logs were leaked earlier today via an email sent to multiple journalists and security researchers.
- Messages showing Conti’s relationship with the TrickBot and Emotet malware gangs, from where they often rented access to infected computers to deploy their malware.
- Messages confirming that the TrickBot botnet had shut down earlier this month.
- Messages containing ransom negotiations and payments from companies that had not disclosed a breach or ransomware incident.
- Bitcoin addresses where the Conti gang received payments, which would be useful to law enforcement to track down the gang’s profits.
- Messages showing that the Conti gang attempted to set up demos with security companies like CarbonBlack and Sophos in an attempt to test their tools and find evasion methods to avoid detection.
- The leaker also added that the Jabber/XMPP logs are only the first part of a larger set of Conti-related files they plan to release in the future.
So what’s the upshot for you? Interestingly, several other Russian hacking teams seemed to have immediately toned down their language after this, with some explaining that they are “politically neutral”.
UA: Ukraine Hit with Novel ‘FoxBlade’ Trojan Hours Before Invasion
“Several hours before the launch of Russian missiles or movement of tanks on February 24, Microsoft’s Threat Intelligence Center (MSTIC) detected a new round of offensive and destructive cyberattacks directed against Ukraine’s digital infrastructure,” Microsoft President and Vice-Chair Brad Smith said.
“We immediately advised the Ukrainian government about the situation, including our identification of the use of a new malware package (which we denominated FoxBlade), and provided technical advice on steps to prevent the malware’s success.”
Smith said that within three hours of discovering FoxBlade, Microsoft had added new signatures to its Defender anti-malware service to detect the exploit.
So what’s the upshot for you? We almost forgot Microsoft could move this quickly.
CN: New Chinese hacking tool found
Feb 28 (Reuters) - Security researchers with U.S. cybersecurity firm Symantec said they have discovered a “highly sophisticated” Chinese hacking tool dubbed Daxin, that has been able to escape public attention for more than a decade.
Symantec’s attribution to China is based on instances where components of Daxin were combined with other known, Chinese-linked computer hacker infrastructure or cyberattacks, said Vikram Thakur, a technical director with Symantec.
Symantec researchers said the discovery of Daxin was noteworthy because of the scale of the intrusions and the advanced nature of the tool.
“The most recent known attacks involving Daxin occurred in November 2021. Daxin’s capabilities suggest the attackers invested significant effort into developing communication techniques that can blend in unseen with normal network traffic.”
Daxin’s victims included high-level, non-Western government agencies in Asia and Africa.
“Daxin can be controlled from anywhere in the world once a computer is infected,” said Thakur. “That’s what raises the bar from malware that we see coming out of groups operating from China.”
So what’s the upshot for you? The actors have been successful in not only conducting campaigns but being able to keep their creation undiscovered for over a decade.
IL: Shedding Light on Samsung’s insecure phone security
Samsung shipped an estimated 100 million smartphones with botched encryption, including models ranging from the 2017 Galaxy S8 on up to last year’s Galaxy S21.
Researchers at Tel Aviv University found what they called “severe” cryptographic design flaws that let attackers siphon the devices’ hardware-based cryptographic keys: keys that unlock the treasure trove of security-critical data that’s found in smartphones.
What’s more, cyber attackers could even exploit Samsung’s cryptographic missteps – since addressed in multiple CVEs – to downgrade a device’s security protocols. That would set up a phone to be vulnerable to future attacks
Samsung’s TrustZone splits a phone into two portions, known as the Normal World (for running regular tasks, such as the Android OS) and the Secure World, which handles the security subsystem and where all sensitive resources reside. The Secure World is only accessible to trusted applications used for security-sensitive functions, including encryption.
“Loosely speaking, AES-GCM needs a fresh burst of securely chosen random data for every new encryption operation – that’s not just a ‘nice-to-have’ feature, it’s an algorithmic requirement. In internet standards language, it’s a MUST, not a SHOULD.
That fresh-every-time randomness (12 bytes’ worth at least for the AES-GCM cipher mode) is known as a ‘nonce,’ short for Number Used Once – a jargon word that cryptographic programmers should treat as a command, not merely as a noun.”
er, but Samsung’s cryptographic code didn’t enforce that requirement. So by exploiting this loophole, the researchers were able to pull off a feat that’s “supposed to be impossible, and the team was able to extract cryptographic secrets from inside the secure hardware.”
Matthew Green, cryptographer, security technologist, and Associate Professor of Computer Science at the Johns Hopkins Information Security Institute, explained on Twitter that Samsung incorporated “serious flaws” in the way its phones encrypt key material in TrustZone, calling it “embarrassingly bad.”
So what’s the upshot for you? “There is always pushback in the security research community against doing “attack work” that finds these vulnerabilities. Which is reasonable but too bad since the alternative is a company like Samsung f*rting your secret keys everywhere.” says Matthew Green
UK: Think you can maintain your privacy underground? Think again.
The quantum gravity gradiometer, which was developed under a contract for the UK Ministry of Defense and in the UKRI-funded Gravity Pioneer project, was used to find a tunnel buried outdoors in real-world conditions one meter below the ground surface. It wins an international race to take the technology outside.
The sensor works by detecting variations in microgravity using the principles of quantum physics, which is based on manipulating nature at the sub-molecular level.
The success opens a commercial path to significantly improved mapping of what exists below ground level.
This will mean:
- Reduced costs and delays to construction, rail, and road projects.
- Improved prediction of natural phenomena such as volcanic eruptions.
- Discovery of hidden natural resources and built structures.
- Understanding archaeological mysteries without damaging excavation.
So what’s the upshot for you? “Detection of ground conditions such as mine workings, tunnels, and the unstable ground is fundamental to our ability to design, construct and maintain housing, industry, and infrastructure. The improved capability that this new technology represents could transform how we map the ground and deliver these projects.”
US: NVIDIA Confirms Employee Credentials Stolen in Cyberattack
"NVIDIA this week acknowledged that employee credentials were stolen during a cyberattack on February 23 and confirmed the attackers have started leaking the information online.
The compromise occurred on February 23 and impacted certain “IT resources,” an NVIDIA spokesperson told SecurityWeek.
“Shortly after discovering the incident, we further hardened our network, engaged cybersecurity incident response experts, and notified law enforcement,” the NVIDIA spokesperson added.
While the investigation into the incident continues, NVIDIA says that it hasn’t found evidence that ransomware was deployed on its network."
So what’s the upshot for you? NVIDIA is still assessing the extent of the intrusion.
EU: Viasat Attributes Outage to "Cyber Event"
The timing of the disruption coincides with Russian President Vladimir Putin’s authorization of “special military operations” in Ukraine, with multiple ISPs reporting outages since the early hours of February 24.
PaxEX.Aero confirmed three outages but said as many as six may have occurred. Impacted ISPs include one in France and EUSANET in Germany
So what’s the upshot for you? “Viasat is experiencing a partial network outage impacting internet service for fixed broadband customers in Ukraine and elsewhere on our European KA-SAT network."
Global: SpaceX shipment of Starlink satellite-internet dishes arrives in Ukraine, a government official says
A shipment of SpaceX’s Starlink satellite-internet dishes arrived in Ukraine on Monday, less than 48 hours after CEO Elon Musk announced the company would send support, according to a top official in the nation’s government.
Fedorov wrote on Twitter: “@elonmusk, while you try to colonize Mars – Russia try to occupy Ukraine! While your rockets successfully land from space – Russian rockets attack Ukrainian civil people! We ask you to provide Ukraine with Starlink stations and to address sane Russians to stand.”
Yesterday, Fedorov posted a photo of a truck full of Starlink equipment along with the message: “Starlink – here. Thanks, @elonmusk.”
Each Starlink kit includes a user terminal to connect to the satellites, a mounting tripod, and a Wi-Fi router. It’s not known how many kits SpaceX is sending to support Ukraine.
So what’s the upshot for you? Some on Twitter were most impressed that the dishes shipped on time, others impressed by the fact that the dishes appear to be the older heated, curved design that neighborhood cats so enjoy napping in.
Global: Your home Router Is Collecting Your Data. Here’s What to Know, and What to Do About It
https://dd-wrt.com/support/router-database/
Almost all of the web traffic in your home passes through your router, so maybe it’s difficult to imagine that it isn’t tracking the websites that you’re visiting as you browse. Every major manufacturer I looked into discloses that it collects some form of user data for marketing – but almost none of the policies I read included any language that explicitly answered the question of whether or not a user should expect their web history to be logged or recorded.
The sole exception? Google. “Google Wifi and Nest Wifi devices do not track the websites you visit or collect the content of any traffic on your network,” Google’s support page for Nest Wifi privacy reads. “However, your Google Wifi and Nest Wifi devices do collect data such as Wi-Fi channel, signal strength, and device types.”
CommScope notes that the way it handles and shares data used for performance analytics with its Arris Surfboard routers constitutes a sale of personal data under California law.
TP-Link said that it doesn’t collect user browsing history for marketing purposes, but the company muddies the waters with confusing and contradictory language in its privacy policies saying that browser history is collected using cookies, tags, pixels, and other similar technologies, anonymized, and then shared internally within the TP-Link group for direct marketing purposes.
With respect to routers, all of the companies I looked at acknowledged that they share user data with third parties for marketing purposes. The majority of these companies claim that these are in-house third parties bound by the company’s policies, and all of the companies I reached out to said that they don’t share data with third parties for their own, independent purposes. Still, that’s a tall trust ask for privacy-conscious consumers.
This finally brings us to Eero. The company does not offer an option for opting out of data collection and instead tells users that the only way to stop its devices from gathering data is to not use them.
“You can stop all collection of information by the Application(s) by uninstalling the Application(s) and by unplugging all of the Eero Devices,” the Eero privacy policy notes, then you must ask Eero to delete your personal data from its records by emailing privacy@eero(dot)com
So what’s the upshot for you? Can I opt-out of data collection altogether? With some manufacturers, the answer is yes. With others, you can request to view or delete the data that’s been collected about you. Generally, none make it easy to find the opt-out details.
There’s simply no good way to know for certain where your data will end up or what it will be used for, and privacy policies will only tell you so much about what data is being collected.
For your next router, you may want to consider flashing it with open-source router configuration software like DD-WRT. See our notes in the blog for details.
Space: The Urgency To Cyber-Secure Space Assets
Cyber expert Josh Lospinoso succinctly describes why the threat is not theoretical in a recent informative article in The Hill. He notes that “Attacks have been going on for many years and have recently ramped up.
In 2018, hackers infected U.S. computers that control satellites.
Iranian hacking groups tried to trick satellite companies into installing malware in 2019.
One report concluded that Russia has been hacking the global navigation satellite system (GNSS) and sending spoofed navigation data to thousands of ships, throwing them off course.
While there have not been any public reports of direct hacks on satellites, vulnerabilities in-ground stations have been exploited to try to alter satellite flight paths, among other aims.”
China also has the capability to act offensively in space, digitally and kinetically.
As far back as 2014, the network of the National Oceanic and Atmospheric Administration (NOAA), was hacked by China. This event disrupted weather information and impacted stakeholders worldwide.
There were approximately 14 other satellite attacks before the NOAA attack.
Eight years later, China is now perceived as even more of a threat. Top U.S. space officials recently said that it is likely the Russian invasion of Ukraine will extend to space, predicting continued GPS jamming and spoofing and urging the military and commercial space operators to be prepared for possible cyberattacks.
National Reconnaissance Office Director Chris Scolese urged attendees at a National Security Space Association conference to “Ensure that your systems are secure and that you’re watching them very closely because we know that the Russians are effective cyber actors.” US space officials expect Russia, Ukraine conflict to extend into space (c4isrnet(dot)com)
So what’s the upshot for you? Russian boosters are used to keep the international space station (ISS) in orbit.
The war is already impacting that maintenance too. The chief of Russia’s space agency said on Twitter: “If you block cooperation with us, who will save the ISS from an uncontrolled deorbit and fall into the United States or Europe?”
He added: “There is also the option of dropping a 500-ton structure to India and China. Do you want to threaten them with such a prospect? The ISS does not fly over Russia, so all the risks are yours. Are you ready for them?”
That’s it for this week. Stay safe, stay, secure, look to the heavens before you go out… and we hope to see you all in se7en.