Newsletters

Microsoft told RiskyBizNews that its Defender security platform has detected around 1.5 million infected computers communicating with cracked Cobalt Strike servers over the past two years.

A 2020 Recorded Future report found that more than 1,400 malware C&C servers were using Cobalt Strike as their backend at the time. A Censys search currently returns ~540 Cobalt Strike servers hosted in the wild.

Microsoft, together with Fortra and Health-ISAC, say they now plan to use the recently-obtained court order to "notify relevant internet service providers (ISPs) and computer emergency readiness teams (CERTs)" and have them assist in taking cracked Cobalt Strike servers offline.

The UK's National Cyber Force (NCF) has published its views on "being a responsible cyber power" and explained how it currently conducts offensive cyber operations (those that deny, degrade, disrupt). It's a great read, and what shines through very strongly is that for the NCF the goal of these types of operations is to mess with people's minds.

The NCF is the UK's equivalent of US Cyber Command and was established in 2020 to operate "in and through cyberspace to disrupt, deny, degrade and contest those who would do harm to the UK and its allies". It brings together personnel from UK defence and intelligence agencies such as GCHQ, boffins from the Ministry of Defence and the SIS (aka MI6, the UK's foreign HUMINT organisation).

So, not just a bunch of cyber geeks, then. This breadth of perspectives is evident in the human-centric way that the NCF talks about its goal, which is not about dominating cyberspace but is instead to mess with people:

WD breach: American data storage company Western Digital says hackers gained access and stole data from some of its internal systems. The incident took place on March 26, the company said in a statement. Western Digital says it shut down the affected system and is working with a security vendor to investigate the breach and restore the affected systems. Some of the company's cloud systems were down over the weekend as a result of the attack.

eFile compromise: The website of eFile.com, an IRS-authorised service for filing tax returns, has been compromised and used to deliver malware to visitors. According to researchers from the ISC SANS, the website was modified with a malicious JavaScript file that prompted users to update their browsers. These updates would download malicious Windows executables—labeled as trojans by the file-scanning service VirusTotal.

KNVB hack: The Dutch football (soccer) federation says that hackers have breached its servers and stolen the personal information of its employees. The incident took place on Saturday. The KNVB says it reported the breach to the Dutch Data Protection Agency.

The abuse has been rampant and hard to miss. Cybersecurity firms like Proofpoint, Sophos, WithSecure, McAfee, Perception Point, OpalSec, S2W, InQuest, Yoroi, K7, and Trustwave [1, 2] have all published reports in recent weeks covering the OneNote abuse—by both cybercrime and APT groups alike.

Until now, OneNote's default behavior has been to show a warning to users that opening the embedded file could be damaging to their computers.

Starting mid-April and continuing throughout the year, Microsoft says it plans to update the OneNote app across its platforms and block the execution of embedded files altogether. Instead of the popup warning users about the embedded file, OneNote would show one telling them the file will not be executed at all.

A Shodan search returns more than 245,000 3CX VoIP IPBX servers, just to give you an idea of how popular the 3CX system is.

As for 3CX, well, it's not good. At all. First, they didn't detect the intrusion for months. Second, when several antivirus products started detecting their clients as malicious, they repeatedly claimed it was just false positives, over and over again, without investigating further. When 4-5 different vendors see the same thing, it's probably a indicator you should look at your app. Third, some customers said that when they went to 3CX's customer support with CrowdStrike's findings, they were asked to "open a support ticket at £75 per incident." That's just... not what people wanted to hear.

The company did eventually confirm the incident in a blog post and promised to release new clean desktop client versions. Until then, 3CX recommended that customers use its web-based PWA app instead.

A professional association for military cyber professionals, the MCPA, is calling on Congress to establish a 7th branch of the armed services, a US Cyber Force.

The formal request, a single page, is a bit light on and the justification is contained in a single paragraph:

That's it, and we are not convinced.

France bans recreational apps from govt devices: The French government has banned public officials from installing any type of "recreational apps" on their work phones. The ban covers TikTok but also other social media applications. The French government cited national security concerns for imposing the ban. More in the government's press release [PDF].

Bug bounty bill stalls in Russia: A proposed law to legalize white-hat bug bounty programs in Russia has hit a roadblock following criticism filed by the FSB intelligence agency, according to Vedomosti.

Iran receives Russian cyber-weapons: The Russian government is supplying advanced cyber weapons to Iran. The deal is part of an exchange where Iran has provided Russia with drones and ammunition to be used in its war in Ukraine. Sources who spoke with the WSJ [non-paywall] say the Tehran regime has received advanced software to hack the phones and systems of dissidents and adversaries. In addition, Russia has provided Iran with equipment and software for internet censorship and allow Tehran officials to monitor, intercept, redirect, or degrade the mobile communications of its citizens.

Synacktiv's team members for this year's contest included Eloi Benoist-Vanderbeken, David Berard, Vincent Dehors, Tanguy Dubroca, Thomas Bouzerar, and Thomas Imbert.

Besides the $530,000 and the Master of Pwn trophy, Synacktiv will also receive a Tesla Model 3 car—as part of an agreement between the contest organizers (the Zero-Day Initiative) and Tesla.

All in all, Synacktiv went home with more than half of the prizes awarded at Pwn2Own this year—$1,035,000 and a car.

Chinese security products for Russia: As part of the recent high-level meetings between Russian and Chinese officials in Moscow this week, the two governments signed several treaties of cooperation, including on cybersecurity topics. According to Russian news outlet Octagon Media, China will provide Russia with "test system firewalls" that can be used to protect against cyber attacks and help disconnect the country from the global internet network. These systems will be deployed in Russia's largest urban centers, such as Moscow, St. Petersburg, Kazan, Vladivostok, Grozny, and other cities with over one million in population. In addition, the two governments have also agreed that their intelligence services cooperate on "cybersecurity issues," although details are obviously not public on what this can mean.

Russia has dumb IT idea again: The Federal Service for Technical Export Control, an agency inside the Russian Ministry of Defense, is exploring the idea of forcing Russian critical infrastructure operators to block their email servers from interacting with foreign IP addresses. The "galaxy brain" idea, reported by Kommersant, will most likely lead to some hilarious situations where legitimate emails and alerts won't get delivered, likely leading to technical outages and missed communications with customers and contractors.

UK healthcare cybersecurity strategy: The UK government has published a cybersecurity strategy for the healthcare and social care sector. The strategy focuses on five pillars: (1) focusing on the greatest risks and harms; (2) defending as one; (3) establishing a cyber culture and a cyber workforce; (4) building secure systems; and (5) exemplary response and recovery.

In addition to Wagner, Prigozhin controls other state-linked companies such as a large catering business and the Internet Research Agency, which used social media to interfere with the 2016 US Presidential election. At various times he's been described as a close confidant of Vladimir Putin, although that closeness has probably been overstated in most public reporting.

The investigation into his business empire's IT operations, fueled by an analysis of the stolen documents, was published by Dossier Center, a Russian transparency initiative funded by exiled Russian opposition figure Mikhail Khodorkovsky.

The expose (English translation here) based on the leaked documents makes for remarkable reading. There's the substance of the documents — he's apparently been keeping two sets of accounting books, for example — and then there's the meta revelations about how Prighozin's organisation approaches security. Its approach to infosec is, to put it one way, extremely not great.