week

Over the past week there have been many hot topics in the cybersecurity world. This edition of This Week in Cybersecurity includes stories about Log4Shell continuing to pop up, a government contractor showing their ability to spy on CIA and NSA personnel, supply chain attacks becoming an increasing threat, and more. Check out the articles below for more on each story.

AWS’s Log4Shell Hot Patch Vulnerable To Container Escape and Privilege Escalation

Following Log4Shell, AWS released several hot patch solutions that monitor for vulnerable Java applications and Java containers and patch them on the fly. If you installed the hot patch to a Kubernetes cluster, every container in your cluster can now escape until you either disable the hot patch or upgrade to the fixed version. A hot patch Daemonset for Kubernetes clusters, which installs the aforementioned hot patch service on all nodes is now available. To patch Java processes inside containers, the hot patch solutions invoke certain container binaries. In Kubernetes clusters, you can install the fixed hot patch version by deploying the latest Daemonset provided by AWS. Note that only deleting the hot patch Daemonset doesn’t remove the hot patch service from your nodes. Penetration testing and vulnerability management remains a key tool to mitigate risks like this.

American Phone-Tracking Firm Demo’d Surveillance Powers By Spying On CIA and NSA

Anomaly Six, a secretive government contractor, claims to monitor the movements of billions of phones around the world and unmask spies with the press of a button. According to audiovisual recordings of an A6 presentation reviewed by The Intercept and Tech Inquiry, the firm claims that it can track roughly 3 billion devices in real time, equivalent to a fifth of the world’s population.

In a sales pitch, to fully impress upon its audience the immense power of this software, Anomaly Six did what few in the world can claim to do: spied on American spies. “I like making fun of our own people,” Clark began. Pulling up a Google Maps-like satellite view, the sales rep showed the NSA’s headquarters in Fort Meade, Maryland, and the CIA’s headquarters in Langley, Virginia. With virtual boundary boxes drawn around both, a technique known as geofencing, A6’s software revealed an incredible intelligence bounty: 183 dots representing phones that had visited both agencies potentially belonging to American intelligence personnel, with hundreds of lines streaking outward revealing their movements, ready to track throughout the world. “So, if I’m a foreign intel officer, that’s 183 start points for me now,” Clark noted. This isn’t the first time we have heard about a story like this. nGuard has covered a similar topic to this with the NSO Group and their spyware, Pegasus.

Cyber Agencies Renew Warnings Of Russia-Linked Threats Against Industrial Targets

Federal and international authorities issued urgent warnings Wednesday, April 21^st to critical infrastructure providers to take precautions against potential retaliatory cyberattacks from alleged Russian state actors and criminal cyber groups.

Experts have linked other nation state-affiliated actors like Berserk Bear to past cyber incidents against U.S. and Western European targets ranging from energy, transportation, defense contractors as well as water and wastewater system facilities.

nGuard has been helping secure critical infrastructure since 2002 and can validate your segmentation between your business and critical networks and help you stay on top of time sensitive alerts with a managed SIEM.

North Korean Crypto Hacks a Growing Threat, U.S. Warns

A trio of U.S. agencies have issued a joint advisory to warn of escalating North Korean cyberattacks on cryptocurrency and blockchain platforms. The Federal Bureau of Investigation, the Cybersecurity and Infrastructure Security Agency and the U.S. Treasury Department issued the alert Monday in the wake of a stunning $620 million crypto heist by the Pyongyang-connected Lazarus Group.

More Than Half of Initial Infections in Cyberattacks Come Via Exploits, Supply Chain Compromises

The length of time attackers remained undetected on a victim’s network decreased for the fourth year in a row, sinking to 21 days in 2021, down from 24 days in 2020, according to a new report on incident response (IR) investigations conducted by Mandiant. In general, the improvement is driven by faster detection of non-ransomware threats because more companies are working with third-party cybersecurity firms. Additionally, government agencies and security firms often notify victims of attacks, leading to faster detection.

Overall, two methods of initial compromise – exploiting vulnerabilities and attacks through the supply chain – accounted for 54% of all attacks with an identified initial infection vector in 2021, up from less than a 30% share of attacks in 2020. Companies should be tackling the primary threat this year by reviewing and assessing their Active Directory implementation for vulnerabilities or misconfigurations, understanding how to detect and prevent unusual lateral movement attempts in their environment, and implementing application whitelisting and disabling macros to significantly limit initial access attacks.

Prior to a cyberattack ever occurring, be sure to be proactive and have an incident response partner in place. An incident response retainer ensures the fastest response possible from a third party. nGuard offers its CSIR Complete service which is a full CSIR program with guaranteed service-level commitments, priority response, and ongoing proactive activities throughout the year.

6 Malware Tools Designed to Disrupt Industrial Control Systems (ICS)

A recent attempt by Russia’s infamous Sandworm threat group to disrupt operations at a Ukrainian power company has once again drawn attention to the — still somewhat limited — collection of publicly known tools designed specifically to disrupt industrial control systems. Ukraine’s computer emergency response team (CERT-UA) thwarted the attack before any damage was done. Unlike other malware, which often share commonalities in features and functions, ICS-specific malware tools have tended to be highly customized for targeted environments. Just last month, the FBI issued a Flash Alert on critical infrastructure being targeted with a ransomware strain called RagnarLocker.

Russia has launched a full-scale military invasion into the country of Ukraine and with that comes the increased risk of cyber-attacks across the globe. Over the last couple weeks, we have seen many of these threats come to fruition as Ukrainian web sites were defaced and taken offline. New strains of data-destroying malware were also found to be deployed on critical government systems. Below are some of the most current cyber incidents that are taking place as a result of recent Russian aggression.

More than 70 Ukrainian government website have been defaced in cyberattacks (npr.org)
In a call conducted by Mary Louise Kelly, NPR’s cyber security correspondent Jenna McLaughlin detailed a series of cyber attacks that left about 70 Ukrainian government websites defaced. Hackers posted concerning messages in multiple languages telling viewers to be afraid and expect the worst. Jenna says these attacks are unsophisticated operations linked to a hacking group located in Russia and Belarus.

Ukrainian crisis: ‘Wiper’ discovered in latest cyber-attacks (bbc.com)
Late last week, BBC reported that while the websites of several Ukrainian banks and government offices became inaccessible, “wiper” malware was also being deployed on compromised systems. This malware aims to locate and destroy data residing on system drives. “ESET telemetry shows that the malware was installed on hundreds of machines in the country.”

Biden has been presented with options for massive cyberattacks against Russia (nbcnews.com)
Last Thursday, NBC News reported that President Biden had been presented with a menu of options for the United States to carry out impactful cyber attacks against Russia in a response to their recent military action against Ukraine. Two U.S. intelligence officials say that while no final decision has been made, all options remain on the table. “You could do everything from slow the trains down to have them fall off the tracks,” one person briefed on the matter said.

Russian ransomware gang threatens countries that punish Moscow for Ukraine invasion (politico.com)
Last Friday, Politico reported that a Russian ransomware gang, Conti, was making threats to hack the critical infrastructure of any nation or organization that retaliates against Russia for its recent military operations in Ukraine. The Conti gang issued its full support for the Russian government. This group is well known for launching government sponsored cyber attacks across the globe that have had devastating impacts.

Anonymous Hacking Group Declares “Cyber War” Against Russia (infosecurity-magazine.com)
The hacking group Anonymous has made it known that they will be launching a retaliatory cyber campaign against the Russian government following the special military operation launched by President Putin in Ukraine. Posted on their official Twitter account last Thursday read “The Anonymous collective is officially in cyber war against the Russian government. #Anonymous #Ukraine.” Shortly after this tweet was posted, the group claimed to have taken down multiple Russian government websites.

The United States government has issued strong warnings to organizations that reiterate the need to have a strong security posture during these times of uncertainty. nGuard account executives are ready to discuss any and all cyber security needs to help boost the readiness of your organization.