Rolling with the IT Privacy and Security Weekly Update for March 29th, 2022

Ooh… this week we start with rich creamy chocolate and end with a little smile.

Swiss Roll

In between those pleasurable bookends, we get an update on the Lapsus$ soap opera before the movie rights are sold to Hollywood.

We learn about printers being hacked to spread the news, and the astounding number and diversity of attacks on communications across Ukraine.

We get an update on a tech exodus and a new targeted ad campaign from the FBI.

Finally, there’s a new “adopt an FSB agent program” with glittering tips on how you can find your own.

This is the best IT privacy and Security weekly update yet. Let’s roll! Swiss roll!

CH: Nestlé suspends KitKat and Nesquik sales in Russia amid international pressure

Anonymous has urged more than 30 multinationals to pull out of Russia immediately – or face the consequences. Some, for example, Bridgestone Tires, publicly reached out to Anonymous to inform the hacker collective that they have already suspended business in Russia to avoid potential breaches and leaks.

On Tuesday, Anonymous claimed to have leaked a trove of data belonging to the food giant, giving credit to the grey-hat hacker group Kelvin Security. Only 5,7MB of the alleged 10GB leak was released as proof.

The company says that can’t possibly be true. Why? Because the data was actually leaked by Nestle itself several weeks ago. In emails to Gizmodo, a Nestle spokesperson disavowed allegations from the hacktivist collective Anonymous, which claimed this week to have stolen and leaked a 10-gigabyte tranche from the global food and beverage conglomerate.

Anonymous said it was punishing Nestle for its reticence to withdraw from Russia, as a host of other major companies have done. The data, which Anonymous said included internal emails, passwords, and information on Nestle’s customers, was posted to the web on Tuesday.

But, according to Nestle, Anonymous is full of it. “This recent claim of a cyber-attack against Nestle and subsequent data leak has no foundation.” The spokesperson explained that the trove of data floating around the web was, in fact, the product of a mistake the company made earlier this year: “It relates to a case from February when some randomized and predominantly publicly available test data of a B2B nature was made accessible unintentionally online for a short period of time.” […] In a follow-up email, the same company spokesperson explained that the data, some of which was already public and some of which was not, had been accidentally published to the open internet for multiple weeks.

According to the spokesperson: “Some predominantly publicly-available data (e.g., company names and company addresses and some business email addresses) was erroneously made available on the web for a limited period of time (a few weeks). It was detected by our security team at the time and the appropriate review was carried out. The data was prepared for a B2B test website to perform some functionality checks.”

Nestle on Wednesday said it planned to partly scale back its operations in Russia, continuing to provide “essential food, such as infant food and medical/hospital nutrition.”

So what’s the upshot for you? We loved this one. “You didn’t hack us! We leaked that data ourselves!”

UK/BR: Lapsus$: As the Story unfolds…

A 16-year-old from Oxford has been accused of being one of the leaders of cyber-crime gang Lapsus$.

The teenager, who is alleged to have amassed a $14m (£10.6m) fortune from hacking, has been named by rival hackers and researchers.

City of London Police say they have arrested seven teenagers in relation to the gang but will not say if he is one.

The boy’s father told the BBC his family was concerned and was trying to keep him away from his computers.

Under his online moniker “White” or “Breachbase” the teenager, who has autism, is said to be behind the prolific Lapsus$ hacker crew, which is believed to be based in South America.

Lapsus$ is relatively new but has become one of the most talked-about and feared hacker cyber-crime gangs, after successfully breaching major firms like Microsoft and then bragging about it online.

The teenager, who can’t be named for legal reasons, attends a special educational school in Oxford.

City of London Police said: “Seven people between the ages of 16 and 21 have been arrested in connection with an investigation into a hacking group. They have all been released under investigation. Our inquiries remain ongoing.”

and in a March 28 update: Four researchers investigating the gang’s recent hacks said they believed the 16-year-old, who uses the online moniker “White” or “Breachbase,” was a leading figure in Lapsus$, and Bloomberg was able to track down the suspected hacker after his personal information was leaked online by rival hackers.

City of London Police, which primarily focuses on financial crimes, did not say if the 16-year-old was among those arrested.

At least one member of Lapsus$ was also apparently involved with a recent data breach at Electronic Arts, according to [security reporter Brian Krebs], and another is suspected to be a teenager residing in Brazil.

The latter is said to be so capable of hacking that researchers first believed that the activity they were witnessing was automated. Researchers’ ability to track the suspected Lapsus$ members may be because the group, which now has more than 45,000 subscribers to its Telegram channel where it frequently recruits insiders and leaks victims’ data, does little to cover its tracks.

In a blog post this week, Microsoft said the group uses brazen tactics to gain initial access to a target organization, which has included publicly recruiting company insiders. The group has even gone as far as to join the Zoom calls of companies they’ve breached and taunted employees trying to clean up their hack.

The Lapsus$ hackers used compromised credentials to break into the network of customer service giant Sitel in January, days before subsequently accessing the internal systems of authentication giant Okta, according to documents that have not yet been reported.

According to the documents, Sitel said it discovered the security incident in its VPN gateways on a legacy network belonging to Sykes, a customer service company working for Okta that Sitel acquired in 2021.

According to the timeline, the hackers accessed a spreadsheet on Sitel’s internal network early on January 21 called “DomAdmins-LastPass.xlsx.” The filename suggests that the spreadsheet contained passwords for domain administrator accounts that were exported from a Sitel employee’s LastPass password manager.

About five hours later, the hackers created a new Sykes user account and added the account to a user group called “tenant administrators,” which have broad access to the organization, likely to create a “backdoor” account to Sitel’s network that the hackers could use if they were later discovered and locked out.

The Lapsus$ hackers were compromising Okta’s network at around the same time, according to Okta’s timeline of events.

The timeline shows that the hackers last accessed Sitel’s network on January 21 at 2 p.m. (UTC), around 14 hours after accessing the spreadsheet of passwords. Sitel issued a company-wide password reset to try to lock out the attackers.

So what’s the upshot for you? We want to close out this summary of stories with a quote from Okta, (and a little addition from us). “We take our responsibility to protect and secure our customers’ information very seriously,” Okta chief security officer David Bradbury said “We are deeply committed to transparency and will communicate additional updates when available.”… we just might be a couple of months late delivering them…

RU/UA: Russian Printers Juiced by Hacker Anti-War Messages

“Dear Brother/Sister,” reads a transcript of the alleged printed message on the communication app Telegram.

“This isn’t your war, this is your government’s war. Your brothers and sisters are being lied to, some units think they are practicing military drills. However, when they arrive […] they’re greeted by bloodthirsty Ukrainians who want redemption and revenge from [sic] the damage that Putin’s puppets cause upon the land.”

The claim, also posted on Twitter by the Anonymous sub-group, has allegedly been verified by reporters who contacted account owners and confirmed the breach had taken place.

It is unclear whether these owners were Russian operators or merely representatives of service providers.

So what’s the upshot for you? “unsecured printers all across Russia” had begun “mass printing information on Putin’s invasion including Russia losses in order to bypass the Kremlin’s media blackout and propaganda.”

US: Arizona launches digital IDs for Apple devices

Arizona on Wednesday became the first state to offer digital versions of driver’s licenses and identification cards that can be stored in Apple’s Wallet app. That means that residents who own iPhones or Apple Watches can add their IDs to those devices.

But the list locations of where Arizonans can use their new digital identifications is short: So far, they will only be accepted by Transportation Security Administration checkpoints at Phoenix’s Sky Harbor International Airport, according to the state’s Motor Vehicle Division.

State authorities said that even if they’ve added their IDs to their mobile devices, residents should still carry their physical cards for other instances that require identity checks, like liquor stores and encounters with law enforcement.

So what’s the upshot for you? Soon if you lose your phone and you might cease to exist.

UA/EU: More on the ViaSat outage

As Russian troops moved into Ukraine during the early hours of February 24, satellite internet connections were disrupted. A mysterious cyberattack against the satellite’s ground infrastructure—not the satellite itself—plunged tens of thousands of people into Internet darkness.

Among them were parts of Ukraine’s defenses. “It was a really huge loss in communications at the very beginning of the war,” Viktor Zhora, a senior official at Ukraine’s cybersecurity agency said.

Ukraine has the world’s most transparent system for tracking government spending, and multiple government contracts show that the State Services for Special Communication and Information Protection and police have purchased the technology. For instance, during Ukraine’s 2012 elections, more than 12,000 satellite internet connection points were used to monitor voting, official documents show.

Hacking threats to Satcom aren’t new. In 2014 security researcher Ruben Santamarta published research showing the many ways satellite communications could potentially be hacked. In 2018, Santamarta’s follow-up research demonstrated how this could be done, including a focus on satellite systems in military situations.

Santamarta says it is possible the attackers in the Viasat case—although their identity and motive is unknown—may have been able to deploy a malicious firmware update that sabotaged customer modems.

“We have the option that the intended goal of the attackers was to actually break the terminals in order to disable the communications,” Santamarta says. “Or maybe they were expecting to deploy a specific payload to maybe eavesdrop on communications and something went wrong and the terminals were bricked.

At this point, we don’t know what really happened.”

Almost a month after the attack, the disruptions continue. Thousands still remain offline in Europe—around 2,000 wind turbines are still disconnected in Germany—and companies are racing to replace broken modems or fix connections with updates. Multiple intelligence agencies, including those in the US and Europe, are also investigating the attack.

So what’s the upshot for you? The Viasat hack is arguably the largest publicly known cyberattack to take place since Russia invaded Ukraine, and it stands out for its impact beyond Ukraine’s borders.

UA: ‘Most Severe’ Cyberattack Since Russian Invasion Crashes Ukraine Internet Provider

A “powerful” cyberattack has hit Ukraine’s biggest fixed-line telecommunications company, Ukrtelecom.

Described as the most severe cyberattack since the start of the Russian invasion in February, it has sent the company’s services across the country down.

Victor Zhora, deputy head of the State Service for Special Communications and Information Protection, confirmed to Forbes that the government was investigating the attack. He said it’s not yet known whether Ukrtelecom – a telephone, internet and mobile provider – has been hit by a distributed denial of service (DDoS) attack or a deeper, more sophisticated intrusion.

The attack has only been acknowledged by Ukrtelecom in responses to customer comments on Facebook. In one, it responded by saying that services were down as a result of a “powerful cyber-attack of the enemy.”

When Forbes messaged Ukrtelecom over Facebook, an automated response was provided, reading, "Currently, there are difficulties in using the internet service from Ukrtelecom. Our specialists are doing everything possible to resolve this issue as soon as possible.

Due to the abnormal load and problems with internal systems, the operators of the contact center and Facebook can not process customer requests." NetBlocks, which tracks internet downtimes across the world, found Ukrtelecom had been dealing with a disrupted service since this morning, “collapsing to 13% of pre-war levels.”

So what’s the upshot for you? Last week, Ukraine’s Computer Emergency Response Team (CERT) revealed statistics showing the country had been subjected to 60 different cyberattacks. It said 11 had targeted government and local authorities, with 8 hitting military and law enforcement.

RU: And Now Russia Is Seeing a Tech Worker Exodus

According to RAEK, a Russian technology trade group, between 50,000 and 70,000 tech workers have already fled Russia, and 70,000 to 100,000 more could leave in April. With flights to the West canceled, they have wended their way to countries where Russian citizens can still travel visa-free.

According to one Russian technology worker who has also left the country, and who asked not to be named, such a brutal, sudden hit on their livelihood is the last straw that convinced many Russian tech workers to pack it in.

“For a long time there was this kind of balance where the state did horrible things, but if you didn’t interact with it, if you didn’t go into the areas where the state claimed dominance, you were more or less left alone.

So we don’t touch politics—they don’t touch our money, we get to build our assets and live our lives,” they say. “By waging this war, they went into our sphere.

They devalued our money, they devalued our assets, they made everything we invested in illiquid and cheap.

That was a wake-up call.”

Putin’s government has signaled that it regards technology workers as a strategic asset, and it has tried to stem exits by introducing new financial incentives for tech companies and announcing that IT workers would be exempt from conscription.

Paradoxically, those promises had the “opposite effect” on some tech workers. “They perceived that there would be a massive draft for the army and they needed to relocate immediately."

Exiting Russia is still possible, as long as one can find a flight, but press reports suggest that Russians who leave the country are facing aggressive questioning by border officials regarding their motives.

So what’s the upshot for you? If you are wondering why that rumored Russian cyberattack still has not hit all parts of the globe, this may be why.

US/RU: Kaspersky Named First Russian Company on Security Risk List

The Federal Communications Commission on Friday also added China Telecom (Americas) Corp, and China Mobile International USA Inc. to the list. Once a company is on the list, federal subsidies can’t be used to purchase its equipment or services. The action is part of the FCC’s efforts to “strengthen America’s communications networks against national security threats,” Jessica Rosenworcel, the agency’s chairwoman, said in a news release.

Kaspersky is a well-known provider of anti-virus software and has conducted investigations into a range of nation-state hacking incidents.

It calls itself the world’s largest privately-owned cybersecurity company on its website. It says it protects over 400 million users and 240,000 companies. […]

For Friday’s update of the list, the FCC said it relied on findings by the Department of Homeland Security and an executive branch interagency body called the Committee for the Assessment of Foreign Participation in the United States Telecommunications Services Sector.

So what’s the upshot for you? it would be just too easy to compromise a machine through antivirus tooling. This move makes sense.

US: Want To Talk? FBI Trolls Russian Embassy for Disgruntled Would-Be Spies

Recruitment ad hits social media feeds of mobile phones located outside or inside the diplomatic compound.

The FBI is trying a novel strategy to recruit Russian-speaking individuals upset about the country’s invasion of Ukraine: aiming social media ads at cellphones located inside or just outside the Russian Embassy in Washington.

The ads, which appear on Facebook, Twitter and Google, are carefully geographically targeted. A Washington Post reporter standing next to the embassy’s stone walls on Wednesday morning received the ad in their Facebook feed. But the ads did not appear in the feed when the reporter stood on the other side of Wisconsin Avenue NW, in the District’s Glover Park neighborhood.

The ads are designed to capitalize on any dissatisfaction or anger within Russian diplomatic or spy services – or among Russian emigres to the United States – over the invasion of Ukraine, an event that counterintelligence experts call a huge opportunity for the U.S. intelligence community to recruit new sources.

The unlikely star of the campaign is Russian President Vladimir Putin, whose own words are used to encourage people working in or visiting the embassy to talk to the FBI.

The ad quotes Putin at a meeting last month where he publicly chastised his intelligence chief, Sergey Naryshkin, correcting the spy boss’s position on Russian policy toward the separatist eastern regions of Ukraine.

Naryshkin, the director of Russia’s Foreign Intelligence Service, or SVR, stammered at the meeting and seemed unsure of what Putin wanted him to say.

So what’s the upshot for you? That’s what we call targeted marketing!

UA: Ukraine publishes a list of hundreds of 'Russian FSB officers’

LVIV, Ukraine, March 28 (Reuters) - Ukraine’s military intelligence on Monday published the names and contact details of 620 people it alleged were officers of Russia’s Federal Security Service (FSB) involved in “criminal activities” in Europe.

Reuters could not verify the information. Russia did not immediately comment on the list of names.

In a post in Russian on its official website, the intelligence arm of the Ukrainian defence ministry listed people it said were FSB employees registered at the agency’s headquarters in Moscow.

So what’s the upshot for you? If you like exotic pets, now you can adopt your very own FSB agent.

CH/RU: and now, how do you spot one of those 620 FSB agents?

Moscow, March 22, 2022: Agents of the Russian secret service FSB search the premises of the local subsidiary of the Swiss luxury watch manufacturer Audemars Piguet and confiscate watches worth several million francs.

Russian agents reportedly seized a fortune in luxury watches manufactured by Swiss firm Audemars Piguet – a move seen as the Kremlin’s retaliation after the Swiss government imposed economic sanctions in response to Russia’s invasion of Ukraine.

Members of Russia’s secret service, the FSB, took the watches during a raid on a local subsidiary of Audemars Piguet. The value of the seized goods was said to be worth the equivalent of several million dollars.

Russian officials said the watches were seized due to customs violations, but Swiss authorities weren’t buying the explanation.

Swiss foreign affairs department officials said in a confidential memo that the raid was “most likely an arbitrary repressive measure in response to the sanctions,” Swiss newspaper NZZ am Sonntag reported.

The incident occurred weeks after Switzerland abandoned its tradition of neutrality and joined with the European Union in enacting sanctions against Russia.

So what’s the upshot for you? Just look for the (low paid) FSB agent with the $27,000 Audemars Piguet Royal Oak wristwatch.

US: Security tool guarantees privacy in surveillance footage

“We’re at a stage right now where cameras are practically ubiquitous. If there’s a camera on every street corner, every place you go, and if someone could actually process all of those videos in aggregate, you can imagine that entity building a very precise timeline of when and where a person has gone,”

Let’s say we have a video overlooking a street. Two analysts, Alice and Bob, both claim they want to count the number of people that pass by each hour, so they submit a video processing module and ask for a sum aggregation.

The first analyst is the city planning department, which hopes to use this information to understand footfall patterns and plan sidewalks for the city. Their model counts people and outputs this count for each video chunk.

The other analyst is malicious. They hope to identify every time “Charlie” passes by the camera. Their model only looks for Charlie’s face, and outputs a large number if Charlie is present (i.e., the “signal” they’re trying to extract), or zero otherwise. Their hope is that the sum will be non-zero if Charlie was present.

From Privid’s perspective, these two queries look identical. It’s hard to reliably determine what their models might be doing internally, or what the analyst hopes to use the data for. This is where the noise comes in.

Privid executes both of the queries, and adds the same amount of noise for each. In the first case, because Alice was counting all people, this noise will only have a small impact on the result, but likely won’t impact the usefulness.

In the second case, since Bob was looking for a specific signal (Charlie was only visible for a few chunks), the noise is enough to prevent them from knowing if Charlie was there or not. If they see a non-zero result, it might be because Charlie was actually there, or because the model outputs “zero,” but the noise made it non-zero.

So what’s the upshot for you? The challenge is determining how much noise to add — Privid wants to add just enough to hide everyone, but not so much that it would be useless for analysts.

Adding noise to the data and insisting on queries over time windows means that your result isn’t going to be as accurate as it could be, but the results are still useful while providing better privacy.

We like that idea.

Global: Our fav. IT Privacy and Security jokes

We realize the Russian invasion of Ukraine has dominated the IT Privacy and Security weekly update this week so in an attempt to lighten the mood we have scoured the web, light and dark for a few IT Privacy and Security jokes. Here goes:

What did the moderator say to kick off the IT speed dating session?
“Singles, sign on!”

What do you call a turtle that surfs the dark web?
A TOR-toise

What do you call an excavated pyramid

If girls are made of sugar, spice, and everything nice, and boys are made of slime, snails, and puppy-dog tails, what’s the cloud made from?
Linux servers, mostly.

What do you call a group of math and science geeks at a party?
Social engineers.

What’s the best way to catch a runaway robot?
Use a botnet.

Why did the programmer leave the camping trip early?
There were too many bugs.

What do you tell a hacker after a bad breakup?
There are plenty of phish in the sea!

Did you hear about the computer that kept rebooting?
It was terminal.

Why did the band never get a gig?
It was called 1023MB. (source)

and finally…

One day, I started to whisper, so my wife asked me why I was whispering, I told her I didn’t want Mark Zuckerberg to hear us.

I laughed.

My wife laughed.

Alexa laughed.

Siri laughed.

So what’s the upshot for you? …and with that, there is certainly nothing more to say.

That’s it for this week. Stay safe, stay, secure, keep rolling,
Swiss Roll
and we’ll see you in se7en.



Looks nervously sideways at Amazon Alexa & Google Home Assistant :eyes:

We neglected to add “OK Google” into the mix. Apologies.

1 Like