Newsletters

Alcohol supply in Russia: A series of DDoS attacks carried out by Ukraine's IT Army on EGAIS, a government system used to control and regulate alcohol production in Russia, is apparently causing production delays and supply chain issues across the country. According to Russian "alcohol" media (because that's apparently a thing), alcohol factories and warehouses are very dependent on the EGAIS system, which they use to control supply volumes and avoid overstocking, and some beer factories had to temporarily shut down operations because of EGAIS being down.

Passwordless goes mainstream: Apple, Google, and Microsoft announced on Thursday plans to expand support for the FIDO standards inside their core products. At a technical, support for "passwordless" logins will mean that devices from the three companies will be able to handle a FIDO sign-in credential (referred to as a passkey) that will be stored on their devices. This passkey will be used when users want to sign up or log into mobile apps or websites. Instead of a password, their devices will provide this cryptographic-secure passkey instead. The FIDO Alliance said that the passkey wouldn't be shared unless users prove they are in control of the device by authenticating with a PIN, face scan, fingerprint, or even another nearby device (such as a smartphone). In a press release, the FIDO Alliance said it expects Apple, Google, and Microsoft devices and services to start supporting these new FIDO passkeys within the next year.

GitHub goes full 2FA: GitHub took steps on Wednesday to bolster the security of its ecosystem. The company announced that it will require all users who contribute code on projects hosted on GitHub.com to enable one or more forms of two-factor authentication (2FA) by the end of 2023. According to the company, only 16.5% of current GitHub users have 2FA enabled, which is in itself a large adoption rate, compared to Twitter, where only 2.3% of users use 2FA.

Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray, and supported by the Cyber Initiative at the Hewlett Foundation, AustCyber, and founding corporate sponsors CyberCX and Proofpoint.

A new Microsoft report has taken a comprehensive look at how Russia is using cyber operations in its invasion of Ukraine.

There are two clear takeaways. The Russians have launched lots of operations, including nearly 40 destructive attacks, so there has been an active cyber component to this war (despite some mainstream reporting). But it's also clear that these cyber operations have not much changed the progress of the war. Microsoft writes the various attacks "have had an impact in terms of technical disruption of services and causing a chaotic information environment, but Microsoft is not able to evaluate their broader strategic impact".

Crippling cyberattacks: Cyber-attacks have crippled the activities of Onleihe, a popular German online book library service, Sixt, a German car sharing and car rental service, and Massy Stores, Trinidad's largest supermarket chain. The library's catalog has been offline for days; Sixt had to take car reservations using pen and paper on Friday; while several of Massy's stores are still closed following an incident last week. In addition, a ransomware attack has also forced the Kellogg Community College in Michigan to close its university campus and cancel classes on Monday and Tuesday this week.

Gaming cheaters go brr: Gaming cheat maker Aimware was hacked in 2019, and this data has now leaked into the public domain. It was added to Have I Been Pwned this week and will most likely be used to track down cheaters in games like Counter-Strike, Call of Duty, and PUBG.

K8s goes to the Sigstore: Kubernetes v1.24 was released this week; the first version of the Kubernetes system that supports Sigstore, a system for cryptographically signing software releases against supply chain attacks.

Indian data breach law: The Indian government passed an update to its Information Technology Act last week, requiring companies to report cybersecurity incidents to India's CERT team within six hours of when they occur. In addition, all cloud, VPS, and VPN providers will also have to record the names, emails, and IP addresses of all their subscribers, data that they must archive for at least five years. The new update is set to go into effect at the start of July.

French Muslim leak: French prosecutors opened a criminal investigation against Fdesouche—a French far-right website—after the site published the personal data of French Muslims last September. The leak allegedly contained the data of more than 100 individuals, such as Muslim activists, journalists, and imams. According to the French edition of the Huffington Post, this was the second leak published by Fdesouche after the organization published the email addresses and phone numbers of people working with organizations aiding migrants and refugees back in 2017.

Kronos fallout: Multiple class-action lawsuits have been filed over the month of April against some of the largest US companies that relied on the Kronos timekeeping apps to keep track and pay employees. Kronos (aka UKG) got hit by ransomware in December 2021 and took months to recover, causing long delays in employee payments. The company is the subject of several class-action lawsuits filed last year and in early January. But now, companies like PepsiCo, Mercedes-Benz, DHL, Frito-Lay, the Giant supermarket chain, call center giant Sitel Group, and the Cargill and Sodexo food corporations have all been sued for (still) unpaid wages related to the Kronos incident. As Zack Needles writes for BenefitsPro, this new wave of class-action lawsuits brings a new twist to ransomware-related mitigation, especially for attacks against large companies, where the legal consequences may now also start to impact their customers in the case of a super slow and bad recovery/response plan.

Lockbit ransomware: Sophos researchers said that one of the LockBit ransomware group affiliates has managed to infect some of their offensive hacking tools with the Neshta virus. Since Neshta is an old and very well detected threat, Sophos recommends that any Neshta detection should be investigated as a potential Lockbit ransomware intrusion going forward.

Gigantic Large DDoS attack: Cloudflare said it blocked a 15 million requests/s DDoS attack against a cryptocurrency investment platform. While this was not the largest application-layer attack ever recorded, which stands at a record of 17.2 million requests/s, Cloudflare said the attack was of note because it was carried out exclusively via HTTPS requests, which was surprising because of its large volume.

More Lapsus$ IOCs: After similar reports from Microsoft and others, the NCC Group has published its own analysis and insights into the Lapsus$ group's modus operandi.

Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray and supported by the Cyber Initiative at the Hewlett Foundation, AustCyber and founding corporate sponsors CyberCX and Proofpoint.

US lawmakers look like they will tackle the serious national security problems presented by the data broker ecosystem, but the current proposals don't go far enough.

A class-action lawsuit has been filed against Otonomo, a data broker that harvests and sells access to the location information of tens of millions of vehicles. The privacy protection mechanism described in Vice's original article on Otonomo — a pseudonymous identifier — is woefully inadequate, and it is entirely possible to identify people and track their behaviour over time. Otonomo gets data by striking deals with car manufacturers, but the lawsuit alleges that the owner of the car was not even asked for consent to be tracked.

Dirty Pipe exploitation: CISA says attackers are exploiting the Linux vulnerability known as Dirty Pipe. On Monday, the agency added the vulnerability to its list of actively exploited bugs and urged US federal agencies to patch systems by May 16. The agency also added six other vulnerabilities to the same list, including bugs in Jenkins, Microsoft, and WSO2 products.

WSO2 exploitation: A technical write-up is also available for CVE-2022-29464, the WSO2 remote code execution vulnerability that is also under exploitation and included in aforementioned CISA's must-patch recommendations.

VirusTotal denies bug report: VirusTotal founder Bernardo Quintero has dismissed a vulnerability report published on Monday by security firm CySource. The company claimed to have found a remote code execution vulnerability in the VirusTotal malware scanning platform. But Quintero told Risky Biz News that the researchers never gained access to VirusTotal servers. Instead, he said, the researchers only gained access to systems owned by security firms that were downloading and processing VirusTotal data. Quintero called the report "fake news" and posted screenshots of internal conversations about the report to Twitter, along with an official reply from Google's Vulnerability Research Program (VT is owned by Google).

Israeli hacker-for-hire pleads guilty: An Israeli private detective detained in New York since 2019 on charges of involvement in a hacker-for-hire scheme pleaded guilty to wire fraud, conspiracy to commit hacking and aggravated identity theft last week. According to Reuters, Aviram Azari is connected to Indian hacker-for-hire company BellTroX, where he organized a series of hacking missions on behalf of unnamed third parties against American companies based in New York.

Cobalt Strike 4.6: Security software company HelpSystems has released version 4.6 of the Cobalt Strike penetration testing platform. This new version introduces some security measures meant to prevent abuse, such as breaking the built-in updater and forcing all users to download the update from the vendor's official website—as a way to weed out some of the malware gangs operating cracked versions of the software.

Grugq newsletter: Infosec legend The Grugq launched a newsletter last week.

OffensiveCon and chill: Video recordings of the OffensiveCon 2022 security conference are now available on YouTube. The conference took place in Berlin, Germany, at the start of February and is exclusively dedicated to offensive security practitioners.

Five Eyes warning: The US, the UK, Canada, Australia, and New Zealand have issued a joint security advisory warning that "evolving intelligence indicates that the Russian government is exploring options for potential cyberattacks" against western critical infrastructure as retaliation for the sanctions imposed on Russia after its invasion of Ukraine.

FBI warning for US agro sector: In tune with the Five Eyes warning, the FBI also published its own alert [PDF] about new ransomware attacks that may target the US agriculture sector. The alert cited the series of attacks that targeted farming cooperatives in the fall of 2021, such as the ones that hit NEW Cooperative, Crystal Valley, and Farmers Cooperative.

This newsletter is brought to you by Airlock Digital, Rumble Network Discovery, Proofpoint, and Thinkst Canary.

The original REvil ransomware cartel has returned and is carrying out new intrusions. The group has already hit and claimed attacks on Oil India, the second-largest oil and gas producer in India, and French marketing firm Visotec.

Initial reporting on the attacks attributed the intrusions to a group using a modified version of the REvil ransomware code. However, earlier today, the original “Happy Blog,” a dark web blog where the REvil gang posted the names of the companies they attacked, came back to life and started redirecting visitors to a new URL listing the two companies listed above.