Risky Biz News: Microsoft saw Russian threat actors pre-position for attacks one year before Ukrainian invasion

In other news: Germany warns against Russian programmers, Security.txt is now an IETF standard, and Microsoft Edge will get a built-in VPN.

This newsletter is brought to you by Airlock Digital, Rumble Network Discovery, Proofpoint, and Thinkst Canary.

Microsoft published a report on Wednesday detailing its visibility into the cyberattacks carried out by Russia against Ukraine. The company said it detected at least six Russian-aligned threat actors launch 237 operations against Ukraine, with some groups pre-positioning for conflict as early March 2021, almost a full year before the Russian military invaded Ukraine.

Groups involved in the attacks included the likes of Sandworm, APT28, Turla, Nobelium, Gamaredon, and EnergeticBear, linked to cyber units inside Russia's GRU, SVR, and FSB agencies. Microsoft said that many cyberattacks mirrored and augmented military actions inside Ukraine, such as deploying wipers to sabotage Ukrainian government activity before certain troop operations. Around 32% of the data destructive attacks hit government targets, while another 40% hit critical infrastructure, according to the report.

The OS maker also warned that Russian threat actors may now try to expand their destructive actions outside Ukraine to retaliate against countries that provided military assistance to Ukraine or imposed sanctions on the Russian government, echoing a similar warning put out by US and UK officials.

Breaches and hacks

Another crypto hack: DeFi platform Deus Finance got popped for $13.4 million on Thursday. Blockchain security firms PeckShield and CertiK categorized the incident as another flash loan attack, the usual technique used by threat actors to go after DeFi platforms over the past two years.

General tech and privacy

Security.txt is now a standard: Five years after its launch, Security.txt is now an official IETF standard, having been assigned the RFC-9116 identifier. Launched in 2017, Security.txt refers to a text file that companies can place on their official websites with information on how bug hunters can contact security teams to report vulnerabilities and other cybersecurity-related issues.

DNS-over-QUIC: An academic paper published in March found that the current versions of the DNS-over-QUIC protocol "already outperforms [DNS-over-TLS] as well as [DNS-over-HTTPS], which makes it the best choice for encrypted DNS to date." The DNS-over-QUIC protocol is still in standardization.

New Bad Keys service: German cryptographer Hanno Bock launched a new service this week called BadKeys.info that can check cryptographic keys for known vulnerabilities like the Debian OpenSSL bug, ROCA, common prime factors, and others.

Google expands doxing protection: Google is expanding the type of data users can request to be removed from search results. While until now, victims of doxing could request the removal of bank account and credit card numbers, Google says that starting this week, victims can also request the removal of phone numbers, email addresses, physical addresses, or login credentials associated with their identities.

New Chrome: Chrome 101 is out! Update for security fixes. Other features included in this release include the ability to add comments to saved passwords and the replacement of tens of enterprise policies that did not have race/gender-inclusive names.

Edge to get a built-in VPN: Microsoft is testing a built-in VPN feature for its Edge web browser. The upcoming VPN, called the Microsoft Edge Secure Network, is provided in partnership with Cloudflare, claims to encrypt user traffic, and will offer 1GB of free bandwidth each month to users who sign into their Edge browser.

Apple Private Relay: VPN provider Mullvad said it identified some scenarios in which the Apple Private Relay feature ignores local firewall rules to ping Apple servers with heartbeat signals.

Government, politics, and policy

Disinformation Governance Board: The US Department of Homeland Security will create a new office called the Disinformation Governance Board. The new effort, led by Nina Jankowicz, will be focused on countering misinformation on topics such as Russia and migration, Politico reported.

Germany warns against Russian programmers: The German government has asked large German companies to restrict the access of Russian software developers to crucial IT systems. Operators of critical infrastructure—such as electricity, water, and internet providers—have received a letter from the Federal Ministry of the Interior. According to German newspaper Wiwo, government officials fear that Russia will put pressure on software developers to insert backdoors that may be used to cripple German infrastructure in the case of future direct confrontation.

Cybercrime and threat intel

FIN7 report: France's CERT team has published a report on the FIN7 hacking group, a former carding group turned ransomware operator (Darkside, BlackMatter, AlphV). The report is currently available only in French, but the agency often releases English translations of its technical deep-dives, so keep an eye out for it in the coming days.

Badly coded ransomware: A new ransomware strain named ONYX, first spotted last week, is trashing victims' files. While smaller files can be decrypted, large files are unrecoverable, according to security researchers.

Lockbit ransomware: Sophos researchers said that one of the LockBit ransomware group affiliates has managed to infect some of their offensive hacking tools with the Neshta virus. Since Neshta is an old and very well detected threat, Sophos recommends that any Neshta detection should be investigated as a potential Lockbit ransomware intrusion going forward.

Gigantic Large DDoS attack: Cloudflare said it blocked a 15 million requests/s DDoS attack against a cryptocurrency investment platform. While this was not the largest application-layer attack ever recorded, which stands at a record of 17.2 million requests/s, Cloudflare said the attack was of note because it was carried out exclusively via HTTPS requests, which was surprising because of its large volume.

More Lapsus$ IOCs: After similar reports from Microsoft and others, the NCC Group has published its own analysis and insights into the Lapsus$ group's modus operandi.

FOSS research project: The Open Source Security Foundation (OpenSSF) has conducted a project to analyze what types of malicious packages are typically uploaded to package repositories. The organization said that during its one-month study, more than 200 malicious packages were uploaded to the npm and Python package repositories, with most malicious packages trying to execute a dependency confusion or typosquatting attack. Additional info from Google, too.

Malware technical reports

Hive0117 attacks: IBM X-Force team has published a report on Hive0117, a financially-motivated cybercrime group that has been recently targeting enterprises with the DarkWatchman JavaScript-based RAT. X-Force said the attacks have primarily targeted telecommunications providers in Eastern Europe, including entities in Russia, and that the campaign predates and is not associated with any cyber-activity originating from the Ruso-Ukrainian war.

Bumblebee: Proofpoint researchers have spotted a new malware strain named Bumblebee. The malware is being distributed via email spam and is being used as an initial entry vector to drop more powerful malware in subsequent attacks. Proofpoint said that threat actors currently using Bumblebee have carried out ransomware attacks in the past, which should be a reason of concern for companies that detect infections with this new threat on their networks.

BrownFlood malware: A CERT Ukraine alert published on Thursday said that several DDoS attacks that hit Ukrainian websites had been conducted with the help of compromised WordPress sites. Ukrainian CERT specialists said the hacked WordPress sites contained a piece of malicious JavaScript code—codenamed BrownFlood—that hijacked visitors' bandwidth and resources to attack Ukrainian sites.

Black Basta: Reporting from multiple security researchers suggests that the new Black Basta ransomware group is just a rebrand attempt from the old Conti gang. Since the second week of April 2022, Black Basta has already hit at least a dozen organizations, showing the same prowess and efficiency the old Conti gang is typically known for.

APTs and cyber-espionage

Northfly APT: The North Korean-linked Stonefly group has continued to mount espionage attacks against highly specialized engineering companies with a likely goal of obtaining sensitive intellectual property, according to Broadcom's Symantec division.

APT10 / TA410 review: ESET has published a review of TA410, an umbrella group that also includes the APT10 Chinese espionage group. The report goes over the group's evolution since 2019, its malware tooling, and recent operations—work that was also presented this week at the BotConf 2022 security conference.

Bronze President APT: Cybersecurity firm Secureworks reported on Wednesday that a Chinese APT known as Bronze President has recently changed its modus operandi and is now trying to compromise Russian state and military personnel. The company said the "group's targeting shift could reflect a change in China's intelligence collection requirements due to the war in Ukraine," which appears to have caught the Beijing government on its back foot back in February.

APT32: Stairwell has a report out on StrikeSuit Gift, an archive of offensive tools and malware the company found on VirusTotal, and which the security firm believes was either developed or used by APT32 (Ocean Lotus), a cyber-espionage group operating out of Vietnam. Among the files, Stairwell took a close look at APT32's Office macro building tools, which researchers said have been at the center of most of the group's operations in recent years.

APT trends Q1 2022: Kaspersky's infamous APT Trends report is out for the first quarter of the year, and the report includes some interesting tidbits, including activity related to a relatively new APT named ToddyCat (targeting Exchange servers in Europe and Asia), new Lazarus operations targeting the crypto community, and a new firmware implant possibly developed by APT41.

APT29/UNC2452: After months of investigations, cybersecurity firm Mandiant has formally linked the group who broke into SolarWinds to APT29, a threat actor long connected to the Russian government. While initial reporting suggested that APT29 was behind the attack, Mandiant has long restrained from formally pinning the attack on the group until it had the evidence to back it up. The White House formally attributed the SolarWinds hack to APT29 in April 2021; and, more specifically, to a cyber-espionage unit part of the Russian Foreign Intelligence Service, known as the SVR. In addition, the Mandiant report also includes details about newer APT29 attacks, including ones carried out this year, where the threat actor used a malware strain named BEATDROP that used Trello servers for command-and-control infrastructure.

Earth Berberoka: Trend Micro has published a report on a new APT group they dubbed Earth Berberoka (aka GamblingPuppet). The company said the group uses typical Chinese malware, and its recent attacks have been focused on compromising gambling websites.

Vulnerabilities and bug bounty

Most exploited vulnerabilities: Cybersecurity agencies from Five Eyes countries have published a joint advisory on Wednesday that listed the Top 15 most exploited vulnerabilities in 2021. The list is topped by Log4Shell, a vulnerability in the Apache Log4j library, and also includes multiple variations of the ProxyShell and ProxyLogon bugs that were used to compromise a large number of Microsoft Exchange email servers last year.

Azure PostgreSQL bug: Cloud security firm Wiz has discovered "ExtraReplica," a vulnerability that could have been used to access the PostgreSQL databases of other Azure customers. The bug impacted the PostgreSQL Flexible Server authentication mechanism, and Microsoft said in a blog post on Thursday that it patched the issue back in January, two days after receiving the initial Wiz report.