Newsletters

Dirty Pipe exploitation: CISA says attackers are exploiting the Linux vulnerability known as Dirty Pipe. On Monday, the agency added the vulnerability to its list of actively exploited bugs and urged US federal agencies to patch systems by May 16. The agency also added six other vulnerabilities to the same list, including bugs in Jenkins, Microsoft, and WSO2 products.

WSO2 exploitation: A technical write-up is also available for CVE-2022-29464, the WSO2 remote code execution vulnerability that is also under exploitation and included in aforementioned CISA's must-patch recommendations.

VirusTotal denies bug report: VirusTotal founder Bernardo Quintero has dismissed a vulnerability report published on Monday by security firm CySource. The company claimed to have found a remote code execution vulnerability in the VirusTotal malware scanning platform. But Quintero told Risky Biz News that the researchers never gained access to VirusTotal servers. Instead, he said, the researchers only gained access to systems owned by security firms that were downloading and processing VirusTotal data. Quintero called the report "fake news" and posted screenshots of internal conversations about the report to Twitter, along with an official reply from Google's Vulnerability Research Program (VT is owned by Google).

Israeli hacker-for-hire pleads guilty: An Israeli private detective detained in New York since 2019 on charges of involvement in a hacker-for-hire scheme pleaded guilty to wire fraud, conspiracy to commit hacking and aggravated identity theft last week. According to Reuters, Aviram Azari is connected to Indian hacker-for-hire company BellTroX, where he organized a series of hacking missions on behalf of unnamed third parties against American companies based in New York.

Cobalt Strike 4.6: Security software company HelpSystems has released version 4.6 of the Cobalt Strike penetration testing platform. This new version introduces some security measures meant to prevent abuse, such as breaking the built-in updater and forcing all users to download the update from the vendor's official website—as a way to weed out some of the malware gangs operating cracked versions of the software.

Grugq newsletter: Infosec legend The Grugq launched a newsletter last week.

OffensiveCon and chill: Video recordings of the OffensiveCon 2022 security conference are now available on YouTube. The conference took place in Berlin, Germany, at the start of February and is exclusively dedicated to offensive security practitioners.

Five Eyes warning: The US, the UK, Canada, Australia, and New Zealand have issued a joint security advisory warning that "evolving intelligence indicates that the Russian government is exploring options for potential cyberattacks" against western critical infrastructure as retaliation for the sanctions imposed on Russia after its invasion of Ukraine.

FBI warning for US agro sector: In tune with the Five Eyes warning, the FBI also published its own alert [PDF] about new ransomware attacks that may target the US agriculture sector. The alert cited the series of attacks that targeted farming cooperatives in the fall of 2021, such as the ones that hit NEW Cooperative, Crystal Valley, and Farmers Cooperative.

This newsletter is brought to you by Airlock Digital, Rumble Network Discovery, Proofpoint, and Thinkst Canary.

The original REvil ransomware cartel has returned and is carrying out new intrusions. The group has already hit and claimed attacks on Oil India, the second-largest oil and gas producer in India, and French marketing firm Visotec.

Initial reporting on the attacks attributed the intrusions to a group using a modified version of the REvil ransomware code. However, earlier today, the original “Happy Blog,” a dark web blog where the REvil gang posted the names of the companies they attacked, came back to life and started redirecting visitors to a new URL listing the two companies listed above.

Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray and supported by the Cyber Initiative at the Hewlett Foundation, AustCyber and founding corporate sponsors CyberCX and Proofpoint.

State coordinated cyber attacks targeting power infrastructure in Ukraine and India are, at first glance, alarming. However, the campaign targeting Ukraine appears to have failed and the preparatory activity targeting India was so noisy it might actually wind up driving meaningfully improved defences there, too. Let's dive in:

Ukraine's CERT announced that it had thwarted a Russian attack on Ukrainian energy infrastructure. Victor Zhora, a top Ukrainian cybersecurity official, said in a Zoom press conference that the malware caused some disruption in one facility, but no customers lost power.

Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray and supported by the Cyber Initiative at the Hewlett Foundation, AustCyber and founding corporate sponsors CyberCX and Proofpoint.

As first reported in Cyberscoop, the Biden administration is reviewing the Trump-era policy that gave US Cyber Command (USCYBERCOM) greater freedoms to pew pew their cyber operations without White House approval.

The policy in question, National Security Presidential Memorandum-13 (NSPM-13), is classified, although The Washington Post reported the intent of the policy was to remove procedural barriers to the authorisation of offensive cyber operations. In other words it would give DoD personnel greater freedom to fire their pew pew cyber cannons without jumping through a series of very complicated, bureaucratic hoops.

Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray and supported by the Cyber Initiative at the Hewlett Foundation, AustCyber and founding corporate sponsors CyberCX and Proofpoint.

SpaceX's CEO Elon Musk has, perhaps without thinking, painted a big fat military target on the company's Starlink satellite service.

Many companies have expressed support for Ukraine by either pulling out of or restricting sales and services to the Russian market. SpaceX has taken a different approach and actively provided extra services to Ukraine. These services are now enabling a lethal military function.

Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray and supported by the Cyber Initiative at the Hewlett Foundation, AustCyber and founding corporate sponsors CyberCX and Proofpoint.

Efforts by American companies to disconnect Russia from the Internet are understandable but ultimately counterproductive. To a degree, they play into Putin's hands.

Two of the world's largest backbone providers, Cogent and Lumen, stopped servicing customers in Russia. Similarly, the London Internet Exchange, one of the world's larger internet exchange points, booted Rostelecom and Megafon (Russia's largest ISP and second largest mobile telco) out of the exchange.

Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray and supported by the Cyber Initiative at the Hewlett Foundation, AustCyber and founding corporate sponsors CyberCX and Proofpoint.

Interesting — but not conclusive — reporting suggests that a destructive cyber incident targeting satellite communications provider ViaSat was aimed at disrupting Ukrainian military communications.

ViaSat suffered network outages on 24 February — the same day as the invasion of Ukraine — on KA-SAT spot beams servicing Eastern Europe including Ukraine. The outages had effects beyond Ukraine, including disconnecting 5,800 wind turbines in Germany from their monitoring system and also affected other customers in Germany, France, Hungary, Greece, Italy and Poland.

Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray and supported by the Cyber Initiative at the Hewlett Foundation, AustCyber and founding corporate sponsors CyberCX and Proofpoint.

There is no evidence that cyber operations have been used effectively in support of conventional military action in Russia's invasion of Ukraine, but the resulting chaos in the cybers is still making life interesting.

There have been many incidents affecting Ukrainian interests that are likely state-directed in support of Russia: