Risky Biz News: Russia is building a centralized video surveillance system

In other news: Microsoft didn't update driver blocklist for two years; Dutch police scam ransomware gang; and Prestige ransomware used in targeted attacks in Ukraine and Poland.

This newsletter is brought to you by Airlock Digital, Proofpoint, runZero, and Thinkst Canary. You can subscribe to an audio version of this newsletter as a podcast by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed.

The Russian government is taking a page out of China's book (again) and is laying the groundwork to building a national video surveillance system that it will most likely use to keep a foot on its citizens' necks.

Citing anonymous sources, Russian news outlet Kommersant reported last week that the Russian government intends to centralize and aggregate streams from video surveillance systems from all over the country to a data center it is building in Moscow.

This new national surveillance system is scheduled to launch by December 16 and will be run by the Moscow Department of Information Technology.

This is the same department that has been running Moscow's city-wide CCTV system, complete with facial recognition applied to streams from more than 175,000 cameras from across 4,000 city locations—which was infamously compromised back in 2019 [English coverage].

Kremlin officials said they need to centralize streams from all over Russia in Moscow because "no region can afford full-fledged computing power to process such a volume of data" and in order to allow law enforcement agencies to crack down on increased "terrorist threats."

Authorities are most likely referring to the recent explosions across the country—signs of obvious increasing dissent—but Kommersant also points out that the same system could also be used to identify and track down draft dodgers across Russia.

The Kremlin's plan comes as reports are emerging from Russia about the government's desperation to get hold of new cannon fodder... we mean recruits... for its military force fighting in Ukraine. According to WaPo, Russian military and police forces have been seen handing out mobilization forms to men in its larger cities, in public spaces, apartment building lobbies, metro stations, malls, and even cafes and restaurants.

Until now, the vast majority of recruits have been from Russia's minority groups and its smaller cities, a fact that has not gone unnoticed by the local population, who have been fighting back by setting local recruitment centers on fire for months.

The war, already very unpopular in Russia's larger cities and cosmopolitan areas, is expected to trigger even more protests as a small inconvenience for most has suddenly turned into a matter of life and death—protests and unrest the Russian government has been trying to stay ahead in recent months by tightening internet censorship rules to "China level" and now by the centralization of all CCTV video feeds under the Kremlin's nose.

Breaches and hacks

Tata Power: Tata Power, one of the largest electrical power producers in India, disclosed a security breach in a document [PDF] filed with India's national stock exchange. The company said the incident only impacted its IT systems—which is currently in the process of restoring—and that all other critical systems are operating as normal. [Additional coverage in TechCrunch]

Woolworths breach: Australian retail chain Woolworths said that a threat actor compromised an employee's credentials and accessed the backend of its MyDeal portal. The company is currently sending email notifications to all affected customers. Exposed data includes names, dates of birth, phone numbers, and home addresses, according to a notification seen by ABC.

Advanced incident: Advanced, one of the biggest IT providers for the UK NHS, disclosed a security breach last week, admitting they had their IT network compromised following an infection with the LockBit 3.0 ransomware.

"The threat actor initially accessed the Advanced network using legitimate third-party credentials to establish a remote desktop (RDP) session to the Staffplan Citrix server. During the initial logon session, the attacker moved laterally in Advanced's Health and Care

environment and escalated privileges, enabling them to conduct reconnaissance, and deploy encryption malware. Immediately prior to encrypting systems, the threat actor copied and exfiltrated a limited amount of data."

DDoS attacks hit Bulgarian govt sites: Russian hacking group KillNet claimed responsibility for a series of DDoS attacks that hit and took down several Bulgarian government portals, including the websites of the Bulgarian Presidency and several ministries like the Interior and Defense.

General tech and privacy

Microsoft didn't update driver blocklist for two years: Microsoft has confirmed that since 2019, for more than two years, its staff has failed to push new updates to a blocklist that would have prevented the installation of known vulnerable drivers on its Windows operating system. The company's admission comes after cybersecurity firms started noting a trend in BYOVD (Bring Your Own Vulnerable Driver) exploits, which are attacks where threat actors install and exploit a vulnerable driver to elevate their access on a system instead of attacking the OS itself. While the driver blocklist is not enabled by default on Windows systems, this makes it even worse, as the companies that used this feature relied on it as a security boundry and defense in their network and planned and expected that the list receive regular updates for new vulnerable/blocked drivers.

Donate to Tor: The Tor Project launched its yearly end-of-year donation campaign. The organization is asking for donations from its users in an attempt to diversify its revenue stream, which in previous years has been solely reliant on DoD funding.

Proofpoint is one of this newsletter's main sponsors. Below is a product demo Patrick Gray, the host of the main Risky Business podcast, recorded with them last year, where they show off Nexus People Risk Explorer, the company's product for mitigating insider threats:

Cybercrime and threat intel

Bored Ape phishers detained: French authorities have detained five suspects in Paris last week on the suspicion that they orchestrated a sprawling phishing campaign throughout 2021 and 2022 that targeted owners of Bored Ape NFTs. According to authorities, the group is believed to have stolen BFTs worth $2.5 million (at the time of the thefts, of course). French press credited cryptocurrency blockchain investigator ZackBXT with initially tracking down the five suspects back in August.

Police scam ransomware gang: Dutch police said they successfully swindled the operators of the Deadbolt ransomware out of 155 decryption keys that they are now making available to victims so they can recover their files for free. Authorities said they were able to pull off their scheme after Dutch security firm Responders found that the Deadbolt gang was storing the decryption key inside the metadata of a Bitcoin transaction that gets revealed to victims when they make a payment. Using this trick, Dutch police made several payments to the Deadbolt gang, received the decryption keys, and then immediately canceled the transaction, which they are now making publicly available for past victims.

Puerto Rican student sentenced for hacking: Iván Santell-Velázquez, a former University of Puerto Rico (UPR), was sentenced to 13 months in prison for hacking the university email and Snapchat accounts of more than 100 fellow female students and publishing their nude pictures on social media.

Operation Jackal: After South African news outlets reported that Interpol arrested two members of the "Air Lords" Nigerian crime syndicate for BEC-related attacks, Interpol set the record straight on Friday and clarified that the two arrests are actually members of the "Black Axe" Nigerian crime syndicate and had taken place as part of Operation Jackal, which "marks the first time INTERPOL has coordinated a global operation specifically against Black Axe, which is rapidly becoming a major security threat worldwide." Interpol said the two arrests were part of a larger crackdown on Black Axe operations across the world, which included 75 arrests in total.

RansomCartel: PAN's Unit42 threat intel team published a report on Ransom Cartel, a data extortion group that surfaced in December 2021 and which researchers believe might be a front for the old REvil ransomware group.

8220 Gang: SentinelOne said last week that 8220 Gang, an infamous cybercrime group that is known for targeting cloud-based infrastructure for cryptomining attacks, has updated its infrastructure and attack methods and is now targeting misconfigured versions of Docker, Apache, and WebLogic servers. In a previous report in July, SentinelOne said the gang infected more than 30,000 cloud servers by exploiting known vulnerabilities and via brute-force attacks.

Iran protests: Still unconfirmed, but still worth looking into it in the future.

Malware technical reports

Prestige ransomware: Microsoft said it spotted a new ransomware strain named Prestige that was deployed last week in a campaign targeting organizations in the transportation and related logistics industries in Ukraine and Poland. The OS maker didn't link the ransomware to any particular group but said the attacks overlap with previous victims of the FoxBlade (HermeticWiper) data-wiping malware.

BlueSky ransomware: CloudSEK researchers have published a technical breakdown of the BlueSky ransomware. First spotted in the wild in May this year, the ransomware is believed to be operated by a Russian national from Krasnodar, according to a previous report from the same company. Another technical report on this threat is also available courtesy of Italian security firm YOROI.

Royal ransomware: Fortinet's threat team published a report on the new Royal (Zeon) ransomware, an operation that launched earlier in January this year and has been focusing attacks on enterprise networks.

BianLian ransomware: On the same note, BlackBerry's security team also has a write-up on the BianLian ransomware and its "fast" encryption routine.

Prynt infostealer: CYFIRMA researchers noted an increase in malware operations deploying the Prynt infostealer in the wild, which is somewhat baffling, especially after the discovery of a recent backdoor in the malware's code.

APTs and cyber-espionage

Japan warning: The Japanese National Police Agency published a public advisory last week, warning that Lazarus, a group of North Korean state-sponsored hackers, sent multiple phishing emails to the employees of Japanese-based cryptocurrency companies in the hopes of infecting their systems and stealing funds.

Vulnerabilities and bug bounty

PAN bypass: Palo Alto Networks fixed this week an authentication bypass vulnerability (CVE-2022-0030) in its PAN-OS operating system, used for its firewalls and other networking devices.

Microsoft365 encryption flaw: WithSecure researchers said they found a vulnerability in the Microsoft Office 365 Message Encryption (OME) system that can leak information about encrypted emails sent through the service. The issue has been linked to Microsoft's use of the insecure Electronic Codebook (ECB) mode of operation. WithSecure said that after notifying Microsoft, the company has declined to patch the issue.

"Unfortunately the OME messages are encrypted in insecure Electronic Codebook (ECB) mode of operation. [...] This mode is generally insecure and can leak information about the structure of the messages sent, which can lead to partial or full message disclosure."

Windows zero-day analysis: Zscaler researchers published a technical analysis of CVE-2022-37969, a zero-day vulnerability in the Windows OS that they spotted exploited in the wild. Microsoft patched the vulnerability in the September 2022 Patch Tuesday.

Linux WLAN RCEs: The Linux kernel team has fixed five vulnerabilities in the Linux WiFi component that could be exploited via booby-trapped WLAN frames.

"During their research they found multiple more problems in the WLAN stack, exploitable over the air."

Telegram username leak: As clockwork, ten days after Telegram founder Pavel Durov aggressively attacked WhatsApp for "containing security issues," security researchers have found a major leak of Telegram usernames in encrypted communications. Ha ha!

Infosec industry

Cybersecurity awareness month: Here's something to be aware of this "cybersecurity awareness" month—namely, bad cybersecurity advice.

New tool—RansomLook: Malware analyst @F_kZ_ open-sourced a new tool named RansomLook that can monitor the dark web leak sites of ransomware groups and data extortion groups to retrieve recently listed victims.

New tool—Money365: Security researcher Silverhack open-sourced a new tool called Monkey365, a PowerShell module that can be used to audit Azure cloud environments and their security configurations.

New tool—Regulator: US software engineer Peter Crampton developed and open-sourced a new tool named Regulator that uses a novel subdomain enumeration technique.

New tool—RedEye: CISA open-sourced last week a new tool called RedEye, an analytics tool to visualize and report red team command and control activities.

Editor’s note: Newsletter updated post-publication to clarify that the driver blocklist is not enabled on Windows systems by default.