Risky Biz News: Musk says Russia has ramped up efforts to hack Starlink

This newsletter is brought to you by Airlock Digital, Rumble Network Discovery, Proofpoint, and Thinkst Canary. You can subscribe to an audio version of this newsletter as a podcast by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed.

After the EU and Five Eyes countries have formally condemned Russia for the hack of Viasat, a US telecommunications provider that was providing satellite terminals to the Ukrainian military, SpaceX CEO Elon Musk said that his company was also targeted, albeit the hacks haven't been successful so far.

"Starlink has resisted Russian cyberwar jamming & hacking attempts so far, but they're ramping up their efforts," Musk said in a tweet on Wednesday.

Musk's comments come after Starlink has intervened to provide more than 10,000 Starlink satellite terminals to the Ukrainian military after Viasat equipment stopped working just as Russian troops were crossing into Ukraine. Those terminals have been used to provide internet connectivity in areas of war, where Ukrainians have used them to record and document Russia's war crimes. But more than anything, the Starlink terminals have been crucial for military operations, with Ukrainian forces heavily relying on reconnaissance drones linked to Starlink terminals to scout Russian troops and send targeting information to nearby artillery units.

And Russia has been well aware of Starlink's crucial role in the war's development. While they have been able to knock out and hijack ground-based ISP infrastructure, Starlink has been largely operational for all the war's duration, being well out of Russia's missile range.

The country's frustration with Musk reached its peak point on Monday when Roscosmos chief Dmitry Rogozin sent out a message to Russian media via his Telegram channel, threatening that Musk would be held "accountable as an adult" and that he can't play the fool anymore for his role in the Ukrainian war.

As for details about Russia's hacking attempts, with Starlink being one of the DOD's official military contractors, such information is most likely highly classified and under many TLP:RED seals until the end of the war.

Breaches and hacks

DEA investigating breach: The US DEA is investigating a breach of esp.usdoj.gov, a web portal the agency uses to access sensitive information on US citizens and which aggregates data from 16 different federal law enforcement databases. The breach was reported by Brian Krebs after receiving a tip from KT, the administrator of the Doxbin portal.

VPN leak: More than 21 million records were leaked on a Telegram channel earlier this week. According to VPNMentor, the leak contained email addresses and hashed passwords of the users of several VPNs, such as GeckoVPN, SuperVPN, and ChatVPN, and the data appears to be a free version of a private database that was sold last year on the dark web. The file, a Cassandra database dump, is dated 2021-02-25, according to researchers.

Blizzard DDoS: Blizzard said it was targeted by a DDoS attack on Wednesday. The attack was timed to coincide with the launch of the "Godzilla-vs-King Kong" event in the company's Call of Duty: Warzone title.

More Killnet DDoS bragging: Pro-Russian group Killnet has taken credit for a wave of DDoS attacks that hit Italian government sites this week. Targeted sites included those for the Defense Ministry, Ecology Transition Ministry, the Parliament, its national health agency, and several high-profile private organizations, such as the Automobile Club d'Italia. Besides Italy, Killnet also DDoSed government sites in the US, Estonia, Poland, the Czech Republic, Romania, Moldova, and several NATO members, primarily because those countries showed public support for Ukraine. The good news for defenders is that Romania's DNSC has published a list of 11k IP addresses that Killnet has used in past attacks.

General tech and privacy

Google I/O 2022: Google on Wednesday presented the upcoming security and privacy features that will be coming to Google and Android products in the coming year. Among the new features there are:

1. new phishing and malware protections for Google Workspaces;
2. more users to be enrolled in 2SV;
3. a new Security & Privacy settings page with Android 13;
4. Android 13 will automatically delete your clipboard history after a short time to preemptively block apps from seeing old copied information;
5. a new ad center to let users control what ads they see;
6. a new Search tool to help control your online presence;
7. a virtual card system for safely storing payment card data and using spoofed temporary card numbers on shady e-commerce portals.

Supply chain security: In a series of meetings at the White House this week, several US tech companies have agreed to contribute hundreds of millions of US dollars as part of a plan [PDF] to shore up the security of open-source software, Politico reported. The plan was put together following a call from President Joe Biden last year to the US tech sector, who requested that tech companies have better defenses against software supply chain attacks like the Solarwinds hack. Led by the Linux Foundation's Open Source Security Foundation (OpenSSF), the coalition also includes Google, Microsoft, Amazon, Meta, and Cisco. Besides funds to support open-source software security, many companies like Dell and Google will also set up special teams to help write the code and tools needed to protect the FOSS ecosystem.

Website tracking: A new academic study [PDF] has found that certain third-party tracking companies collect information on what users type into forms in real-time, even if users never submit the form. The behavior was found on 2,950 US websites and 1,844 EU sites, likely in violation of the GDPR. More in Wired's coverage here.

Chrome 101: Google has released Chrome 101, which also comes with fixes for 13 security bugs. The latest Chrome version is now Chrome 101.0.4951.64

Beware: Microsoft said that the recent May 2022 Patch Tuesday security updates are breaking authentication on some servers. Ouch!

Government, politics, and policy

Five Eyes joint alert: Five Eyes countries have published another joint cybersecurity advisory, this time on the need to secure managed service providers (MSPs), which have often been the target of some major hacks in recent years.

Privacy expert in the FTC: The US Senate has voted Alvaro Bedoya as the fifth commissioner on the FTC board. Bedoya is a renowned digital privacy expert, having founded the Center on Privacy and Technology at Georgetown University.

CIA has a new CISO: The CIA said Thursday it had selected a new chief information security officer (CISO) in Joseph "Rich" Baich, The Record reported. Baich previously served as CISO for the American Insurance Group (AIG), as CISO of Well Fargo, and Principal at Deloitte's Global Cyber Threat and Vulnerability Management practice.

EU's patchy security landscape: In an article published this week with the IIEA, Ciaran Martin, former head of the UK National Cyber Security Centre, said that the EU's "fragmented" approach to cybersecurity and the "patchy" capabilities of member states are creating several problems in terms of combating state-sponsored threats. "The EU is currently fragmented between Member States and EU institutions, preventing a coherent European cyber security strategy," Mr. Martin said. Additional coverage in the Irish Examiner.

Cybercrime and threat intel

npm supply chain... pen-testing: A security firm named Code White took responsibility this week for flooding the npm library with a large number of malicious libraries containing a sophisticated backdoor. The packages were uploaded from multiple developer accounts, but all used the names of German industrial companies, suggesting they might have been part of a dependency confusion attack (penetration test) against German companies.

Conti denies Black Basta connections: In a message posted on their leak site, the Conti ransomware group has denied recent reports linking it to the Black Basta ransomware operation. With the Conti source code and their offensive playbook out in the public domain and with loads of past angry affiliates out there, it also wouldn't be a surprise if Conti was right and none of their core members were associated with the Black Basta group.

BlueSky ransomware: A new ransomware named BlueSky was also spotted earlier this week. Details about it and its use remain scarce, though.

WordPress hacking campaign: GoDaddy's Sucuri said on Wednesday that it uncovered a massive botnet of hacked WordPress sites that were infected with a piece of JavaScript code that redirected users to malicious or scammy sites. More than 6,000 websites were infected in April alone, according to the company.

PayPal hacker sentenced: The US DOJ has sentenced a Texas man to five years in prison, followed by three years of supervised release. The suspect, Marcos Ponce, 37, of Austin, pleaded guilty to buying 38,000 PayPal credentials in a scheme to empty and steal money from the compromised accounts.

Brute-force botnet owner sentenced: The US DOJ has also sentenced Glib Oleksandr Ivanov-Tolpintsev, a 28-year-old Ukrainian national, to four years in prison for running a brute-force botnet and selling access to hacked PC accounts.

Malware technical reports

Nerbian RAT: Proofpoint has published a report on a phishing campaign using COVID-19 and WHO themes and spreading Nerbian RAT, a new Go-based malware strain.

IceApple: CrowdStrike said it discovered a threat actor deploying a post-exploitation framework named IceApple on hacked Microsoft Exchange email servers. Attacks using this tool have been traced back to at least May 2021.

Tricephalic Hellkeeper: French security firm ExaTrack has published an analysis of Tricephalic Hellkeeper [PDF], a new passive backdoor targeting Linux and Solaris servers, which can use TCP, UDP, or ICMP packets as remote triggers.

BPFDoor: Sandfly Security has released a more technical look at the BPFDoor Linux backdoor first spotted and documented by PwC in a report earlier this month.

Yashma ransomware: SentinelOne published a report earlier this month on a new ransomware strain named Yashma, which the company says has been built on the code of the older Chaos ransomware. In addition, both ransomware strains appear to use the same Bitcoin addresses for ransom payments.

BlackGuard Stealer: S2W Lab has published a report on the history and evolution of BlackGuard Stealer, an infostealer strain advertised and sold via Russian cybercrime forums.

New Lazarus malware: The ESET research team has a Twitter thread on a new Lazarus malware sample disguised as a Windows control panel item.

APTs and cyber-espionage

Bitter APT: Cisco Talos has a report out on a recent spear-phishing campaign from the Bitter APT. The Talos team noted that this recent operation appears to target users in Bangladesh, a change from the group's usual victims. The final payload in this campaign is a new trojan that Talos called ZxxZ.

APT34: In a report this week, Malwarebytes said it saw APT34 (aka Oilrig, a suspected Iranian espionage group) targeting members of the Jordanian government with Saitama, a new type of backdoor trojan. Per the company, Saitama abuses the DNS protocol for its C&C comms and techniques such as compression and long random sleep times to stay undetected.

Cobalt Mirage: Secureworks has published a report on a group the company calls Cobalt Mirage. The company says the group operates out of Iran, blurs the line between financially motivated attacks and espionage, and has even engaged in attacks that deployed ransomware against US-based organizations.

Earth Berberoka: SentinelOne has published a report on Earth Berberoka (aka GamblingPuppet), a new APT group. The report also covers the group's oRAT, a Go-based cross-platform remote access trojan that the group has distributed in recent campaigns disguised as a crypto trading application.

Operation EviLoong: Chinese security firm QiAnXin has published a report on Operation EviLoong, a series of attacks by the APT-Q-29 threat group. The attacks go back as far as 2013 and have hit organizations in East Asia, Southeast Asia, Europe, and North America.

Vulnerabilities and bug bounty

Konica Minolta vulnerability: The SEC Consult team has a vulnerability report about a bug in Konica Minolta printers that took three years to fix because the vendor had to manually patch each affected device in the middle of the COVID-19 pandemic.

Yik Yak exposure: Privacy researchers have found a way to obtain the precise location of Yik Yak posts, potentially exposing users to doxing or stalking, Motherboard reported.

DLink router bug: A command injection vulnerability exists within the web management interface of the D-Link DIR-1260 Wi-Fi router that allows for unauthenticated attackers to execute arbitrary commands on the device with root privileges, according to Exodus Intelligence.

Zyxel firewall bug: Rapid7 has disclosed an unauthenticated remote command injection bug (CVE-2022-30525) in Zyxel firewalls. More than 15,000 Zyxel firewalls that could be vulnerable to this bug are connected to the internet. A Metasploit module is also available.

Vanity URLs: The Varonis team has a report out on how they exploited vanity URLs provided by Box, Zoom, Google Docs, and Google Forms for phishing attacks.

Infosec industry

Yara tut: Intezer has a tutorial out on how to write YARA rules to detect code reuse.

Also, Happy WannaCry Day for yesterday... for whoever is celebrating that kind of stuff!