Risky Biz News: EU, Five Eyes condemn Russia's Viasat hack

In other news: F5 devices come under attack; new US probe into Kaspersky; RuTube denies catastrophic data-wiping attack.

This newsletter is brought to you by Airlock Digital, Rumble Network Discovery, Proofpoint, and Thinkst Canary. You can subscribe to an audio version of this newsletter as a podcast by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed.

In a surprise but coordinated move on Tuesday, officials from the EU and the Five Eyes intelligence alliance have accused the Russian government of hacking and disabling KA-SAT, a satellite network operated by Viasat.

Officials said the hack destroyed KA-SAT functionality one hour before "Russia's unprovoked and unjustified invasion of Ukraine on 24 February 2022."

Officials condemned Russia for the recklessness of its cyber operation, which spilled over beyond its military purpose and damaged civilian and critical infrastructure in both Ukraine and across EU states.

In a Twitter thread, Alexandra Paulus, an International Cybersecurity Policy Fellow at German think tank SNV, said that the EU's official statement "ticks many cyber diplomacy boxes," such as reference to cyber norms, specifying which norm was violated (prohibition of targeting critical infrastructure), and by pointing out that Russia—as a UN member—had previously agreed to respect these norms.

And unlike all the previous times that western countries went on the record to accuse Russia of reckless hacks, this was one of their most well-coordinated and sternly-worded declarations to date.

Formal condemnations came from the EU itself and many of its member states, the Five Eyes intelligence alliance (the US, the UK, Canada, Australia, and New Zealand), and Ukraine. In total, 21 countries went on the record in one form or the other (at the time of this newsletter's publication).

Stefan Soesanto, a Senior Cyber Defence Researcher at the Center for Security Studies at the Swiss Federal Institute of Technology (ETH) in Zurich, has previously analyzed the EU's usage of HR (High Representative) Declarations for cyber activity [see PDF]. In a private conversation with Risky Business on Tuesday, shortly after the EU's press release, Soesanto called the joint attribution to Russia for the Viasat hack "a major policy shift on the EU level."

"It is the first-ever collective EU public attribution statement, and with the door now open and the precedent established—we are highly likely going to see more EU member states pushing for collective EU public attribution statements in the future," Soesanto told us.

"Prior declarations only referred to APT designations (ex. APT40), territory (ex. op conducted from the territory of China), or third-party public attribution statements (ex. US public attribution on SolarWinds)," he added.

"It is also interesting that this shift was made under the French Council Presidency, as it was the French government that very much insisted that attribution is a sovereign political decision and a national prerogative of the individual member states."

Breaches and hacks

US college to shut down: Lincoln College, a predominantly black college based in Illinois, is scheduled to shut down operations on Friday, becoming the first US educational institution to close down due to a ransomware attack, The Hill reported on Sunday. In a message posted on their website, college officials said the institution has struggled to recover its data following a ransomware attack that took place in December 2021. While the college has been struggling with enrollments due to the COVID-19 pandemic, the attack hindered access to all institutional data, blocking access to recruitment, retention, and fundraising efforts, and creating an unclear picture for next year. When systems were restored in March, officials discovered too late a grim enrollment projections outlook for the 2022 fall, which required a great financial effort to keep the college afloat.

Another crypto heist: The operators of decentralized finance (DeFi) lending and credit protocol Fortress announced on Sunday that about $3 million worth of cryptocurrency was stolen during an attack on third-party infrastructure. While the company has not published a full post-mortem of the recent incident, Fortress described the incident on Twitter as an "oracle manipulation attack" that drained all its funds.

OPM settlement: Federal employees have asked a judge to approve a $63 million settlement in a class-action lawsuit related to the 2015 OPM data breach. The settlement, if approved, would grant from $700 and up to $10,000 to current and former OPM employees who had their data snatched by Chinese state hackers back in 2015. More than 21.5 million OPM employees had their information stolen, but only those who can prove a direct economic loss from the hack will be eligible for compensation.

9 May hacks: Pro-Ukraine hacktivists have hacked and defaced several Russian TV and online platforms on Monday during Russia's Victory Day celebrations, WaPo reported. The attackers defaced TV schedules on Russian smart TVs and widgets on the Yandex search engine to show a message reading: "On your hands is the blood of thousands of Ukrainians and their hundreds of murdered children. TV and the authorities are lying. No to war." In addition, the hackers also launched an attack against RuTube, a local Russian YouTube-like video hosting platform. Initially, the attackers claimed to have wiped the site's content, but RuTube denied their claims in a statement published on Tuesday. The Russian video platform said that 75% of its web infrastructure was destroyed but that its source code and video archives were intact.

AA breach: The New Zealand Automobile Association said that it recently discovered that a threat actor used a vulnerability to extract personal data for some of its users from one of its older websites. In a statement posted on its official site, AA said the attacker exploited a bug in a version of AA Traveller, an online platform for making travel reservations. AA said the vulnerable site was in use between 2003 and 2018 but did not say how many users had their personal data stolen in the attack. This is the second time that AA discloses a breach of this nature after a first incident in 2010.

General tech and privacy

Clearview AI lawsuit: The ACLU and Clearview AI have agreed to a court settlement that will ban the company from selling its biometrics database to private businesses or individuals in the US. Both parties celebrated the settlement as some sort of win, but as Michael Kan, a reporter for PCMag, pointed out, Clearview appears to have won more, as the company was not selling its facial recognition tech to private businesses in the first place, only to state agencies, meaning the settlement will have little impact on its operations.

CCC privacy warning: Germany's Chaos Computer Club, one of the largest hacker communities in the world, published a blog post on Tuesday [in German] warning their members about the EU's plan to screen all IM/chat messages. Euractiv has obtained and broken down a copy of the EU's proposed plans—meant to combat child pornography.

Government, politics, and policy

Pentagon hates data brokers: And now for an oxymoron from the US government on data brokers and privacy. For starters, the US DoD has put out a call to the private sector for solutions to protect its military and civilian personnel from data tracking and data brokers that can amass vast quantities of information about its staff.

ICE loves data brokers: But on the same note, the ICE absolutely loves data brokers, according to a recent report. Academics from Georgetown University said that they've discovered that the ICE has used data brokers to bypass US judicial, legislative, and public oversight and build a surveillance system capable of tracking most US citizens.

DOD cyber to get State Dept. oversight: Cyberscoop reported on Tuesday that the White House is preparing an agreement to put give the State Department more say in some DOD offensive cyber operations. The State Department will have a say if the DOD sends notifications to foreign countries about their intention to enter their cyberspace to interrupt adversary infrastructure, according to sources familiar with the future agreement.

New Kaspersky probe: Following Russia's invasion of Ukraine, US officials have started a new probe into Russian security firm Kaspersky, Reuters reported on Monday, citing three people familiar with the new investigation. The probe is being led by the US Department of Commerce using new broad powers granted to it by the past Trump administration. Reuters claims these new powers can allow the Commerce Department to ban the use of Kaspersky software across the US, purchases by US citizens, or prohibit the download of software updates. US regulators have already banned federal government use of Kaspersky software in 2017.

Biden signs cybercrime bill: President Joe Biden signed last week the Better Cybercrime Metrics Act into law. The new law aims to improve how the federal government tracks, measures, analyzes, and prosecutes cybercrime offenses.

Spain fires intel chief: The Spanish government has fired the director of its intelligence agency, citing the agency's failure to detect the Pegasus spyware on the phones of Spanish officials for more than a year. Paz Esteban, director of the National Intelligence Center (CNI), was relieved of duties on Tuesday. Prime Minister Pedro Sánchez's mobile phone was breached twice in May 2021, and Defense Minister Margarita Robles' device was targeted once the following month, per an AP report earlier this month.

Cybercrime and threat intel

Ransomware count: Microsoft's security team said on Monday that it tracks more than 35 unique ransomware families and 250 unique threat actors across observed nation-state, ransomware, and criminal activities. Microsoft called the DEV-0193 cluster (also known as Trickbot) as "the most prolific ransomware group today."

DCRat: The team at BlackBerry has published an in-depth report on DCRat (or DarkCrystal RAT), a remote access trojan sold on underground cybercrime markets. Sold predominantly on Russian underground forums, BlackBerry said DCRat was one of the cheapest commercial RATs they've ever come across, priced at only $6 for its lowest tier.

FluBot: Finland's cybersecurity agency published an alert on Tuesday about a new wave of SMS spam distributing links to apps infected with the FluBot Android malware.

German car dealerships: Check Point has a report out on an email phishing campaign targeting German car dealerships and manufacturers. The final payload in the attacks are infostealers such as Racoon, AZORult, or BitRAT.

UK hacker charged: The DOJ has charged a UK national for a hacking campaign that took place between 2011 and 2018. The suspect stands accused of gaining access to email servers and computers belonging to US financial institutions in order to steal money from online bank accounts and make unauthorized stock transactions from brokerage accounts. The suspect was detained in the UK in August 2021, and the US is now seeking his extradition.

Malware technical reports

Quantum Locker: Security firm Cybereason has published a report on the Quantum Locker ransomware, the latest rebrand of the MountLocker crew. Previous rebrands included the AstroLocker and XingLocker ransomware variants.

New REvil samples: Secureworks have published a report on samples of the REvil ransomware that were in recent attacks over the past weeks. The company concluded that this new REvil group has access to the original REvil ransomware source code, "reinforcing the likelihood that the [REvil] threat group has reemerged."

Black Basta: Trend Micro has published a report on the new Black Basta ransomware operation, believed to have splintered off from the old Conti gang.

Frappo: Something we missed last month—Resecurity's report on Frappo, a new Phishing-as-a-Service platform for cybercrime groups.

Vulnerabilities and bug bounty

F5 active exploitation: Owners of F5 BIG-IP devices (load balancers, firewalls, and proxies) are advised to install the security updates F5 Networks released last week for a vulnerability tracked as CVE-2022-1388. Reports are coming in from multiple threat intel analysts and security firms that several threat groups are now exploiting this bug, which has already been used to hijack at least 300 devices. The current attacks have begun after several security researchers published PoCs for this bug over the weekend, fast-tracking the attacks that began earlier this week.

Google reviews AMD security processor: Google's infamous Project Zero team has released a security audit [PDF] of the AMD Security Processor (ASP), an isolated core in AMD EPYC CPUs that handles secure system initializations. The report found 19 security issues. Google said AMD fixed all reported flaws.

Good-guy researcher: A security researcher has recently avoided a major disaster by registering the expired domain that was used as the email domain for a very popular npm library. If left unregistered, the domain and the npm package could have been hijacked by a threat actor. This new technique of hijacking npm accounts was first discussed in an academic paper published last December. At the time, the researchers said they found that thousands of npm packages were using expired email domains for their npm portal accounts. (h/t Victor Gevers)

Patch Tuesday: Yesterday was Patch Tuesday, so there are loads of security updates to apply this morning, such as those from VMWare, Adobe, and Microsoft. The Microsoft updates also included a fix for an actively exploited zero-day (CVE-2022-26925), and half of the 75 fixed vulnerabilities were reported by one single company—China's Kunlun Lab

New tool: Crowdsource hacker Luke "hakluke" Stephens has released a new tool for discovering the origin host behind a reverse proxy which is useful for bypassing WAFs and other reverse proxies.