Information Technology

Ukraine has requested major cryptocurrency exchanges restrict the activities of Russian account holders.  Mykhailo Fedorov, the Vice Prime Minister and Minister of Digital Transformation of Ukraine, tweeted the appeal on February 27, asking that “all major crypto exchanges block addresses of Russian users.”

Ukraine Crisis

“It’s crucial to freeze not only the addresses linked to Russian and Belarusian politicians but also to sabotage ordinary users,” Fedorov said.  Economic sanctions and the upcoming exclusion of some Russian banks from the global SWIFT financial system have already prompted concerns of a cash run in Russia. But crypto companies have so far not agreed with the Ukrainian request to block all Russian users. A Binance spokesperson told Reuters that the cryptocurrency exchange is “blocking accounts of those on the sanctions list (if they have Binance accounts) and ensuring that all sanctions are met in full.” Binance has no plans to extend the ban to typical Russian account holders.  Coinbase has refused the request and told Decrypt that “a unilateral and total ban would punish ordinary Russian citizens who are enduring historic currency destabilization as a result of their government’s aggression against a democratic neighbor.” However, the organization will comply with any future sanctions.  Jesse Powell, the co-founder & CEO of the Kraken cryptocurrency trading post, went further in a Twitter thread to explain the firm’s stance, in which the company “cannot freeze the accounts of our Russian clients without a legal requirement to do so.”  With that, he warned: “Russians should be aware that such a requirement could be imminent.” Powell also said that foreign states, such as the United States, could impose such sanctions “as a weapon to turn the Russian populace against its government’s policies.” DMarket, an NFT and metaverse platform originating from Ukraine, has taken a different stance. The startup says it has “cut all relationships with Russia and Belarus,” now prohibits sign-ups from these countries, and has frozen the assets of “previously registered users” in these countries.  Assets and skins have not been confiscated and remain in user accounts, but DMarket says “access to their use is currently limited.” The Russian Ruble has also been removed from the platform.  Fedorov applauded the decision, calling the organization “Nowadays Robin Hoods.” Cryptocurrency giants may not consider bans, but they are contributing to other efforts. Binance said it would donate $10 million to humanitarian efforts in Ukraine, and Crypto.com has made a $1 million donation to the Red Cross. “We urge our community to do what they can to support humanitarian efforts,” Crypto.com said.  In related news, Fedorov published a list of cryptocurrency wallet addresses for donations to Ukraine. According to blockchain analysis provider Elliptic, $24.6 million through over 26,000 cryptoasset donations has been raised at the time of writing.  The organization says that the “majority” of donations have been made in Bitcoin (BTC) and Ethereum (ETH), but NFTs are also being handed over to Ukraine.  It should be noted that fraudsters are attempting to cash in on the conflict.  “Elliptic has identified a number of fraudulent crypto fundraising scams which are exploiting the current situation,” the company says.  See alsoHave a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Security researchers have uncovered a stealthy backdoor from a China-linked hacking group that is being used to target critical infrastructure in multiple countries. The malware, dubbed Daxin by researchers at Broadcom-owned Symantec, is a backdoor ‘rootkit’ or malware designed to give an attacker low-level ‘root’ privilege-level access to a compromised system. It was last used in November 2021, according to Symantec. 

ZDNet Recommends

Symantec declared in a blogpost that the Windows kernel driver malware was the “most advanced piece of malware” its researchers had seen from China-linked actors. SEE: Cybersecurity: Let’s get tactical (ZDNet special report)The malware is designed to penetrate networks that have been hardened against cyberattacks.The US Cybersecurity and Infrastructure Agency (CISA) marked Daxin as a “high-impact” security incident based on information shared through its private sector US cybersecurity partners in the Joint Cyber Defense Collaborative. CISA notes that Daxin has been used against select governments and other critical infrastructure targets. CISA and Symantec engaged with multiple governments targeted with Daxin malware and assisted in detection and remediation, CISA says. Daxin is a “highly sophisticated rootkit backdoor with complex, stealthy command and control (C2) functionality”, according to CISA. “Daxin appears to be optimized for use against hardened targets, allowing the actors to deeply burrow into targeted networks and exfiltrate data without raising suspicions,” CISA notes. Symantec researchers believe the malware is used for espionage rather than to destroy data like the WhisperGate and HermeticWiper malware currently targeting Ukraine organizations. “Most of the targets appear to be organizations and governments of strategic interest to China,” Symantec threat researchers said. “Daxin is without doubt the most advanced piece of malware Symantec researchers have seen used by a China-linked actor.”       Windows kernel driver malware is rare today, according to Symantec researchers, who believe it is similar to Regin, a piece of malware its researchers were impressed by in 2014. Daxin’s standout feature is that it doesn’t start its own network services but relies on legitimate network services running on computers it’s already compromised. The methods are similar to “living-off-the-land” techniques that Microsoft has previously warned about in connection with malware that uses legitimate Windows services to evade detection. But rather than riding on legitimate operating-system processes, Daxin exploits legitimate secured network traffic between internal servers to infect computers and avoid detection.   The malware allows the attackers to communicate across a network of infected computers and picks the optimal path for communications between those computers in a single sweep. It works by hijacking the encryption key exchange process between networked computers based on incoming TCP traffic signals that indicate whether a given connection is worth targeting. SEE: Linux malware attacks are on the rise, and businesses aren’t ready for itTCP is one of the internet’s original protocols, designed to protect end-to-end communications between network-connected devices. “While it is not uncommon for attackers’ communications to make multiple hops across networks in order to get around firewalls and generally avoid raising suspicions, this is usually done step-by-step, such that each hop requires a separate action,” Symantec notes. “However, in the case of Daxin, this process is a single operation, suggesting the malware is designed for attacks on well-guarded networks, where attackers may need to periodically reconnect into compromised computers.”Symantec notes that the attackers attempted to deploy Daxin in 2019 using a PsExec session. PSExec is a legitimate Windows tool that allows admins to remotely fix computers. However, it adds that similarities between the code bases of Daxin and previously known malware called Zala suggest the group has been active since 2009. Daxin improves on Zala’s pre-existing networking features.  More

Google’s Threat Analysis Group (TAG) has taken down a “coordinated influence operation” connected to Belarus, Moldova, and Ukraine.

Ukraine Crisis

On February 28, TAG member Shane Huntley published a bulletin sharing some of the unit’s latest efforts to tackle the spread of misinformation, including the removal of a coordinated campaign involving these countries – a topical issue considering the current Russia-Ukraine conflict. The influence operation was terminated in January, prior to the start of the conflict, but at a time when tensions between Russia and Ukraine was rising due to the presence of Russian troops at Ukraine’s border. According to Google TAG, four YouTube channels, two AdSense accounts – used to generate revenue by displaying advertisements – and one Blogger blog were wiped out in connection to this network. In addition, six domains were added to a denylist to stop them appearing on Google News surfaces and Discover. Google says that the campaign “was sharing content in English that was about a variety of topics including US and European current events,” and while the tech giant did not reveal further details, did say that the network was “financially motivated.” Google TAG also tackled a relatively large “influence operation linked to China.” In total, 4361 YouTube channels were destroyed in January. The majority of these channels were spreading Chinese spam content, but some uploaded content in both English and Chinese languages concerning China and US foreign events.  Furthermore, TAG has taken down YouTube channels, AdSense accounts, and Play developer accounts belonging to influence campaigns linked to Iraq, Turkey, and Libya’s politics and current affairs.  As the Russian-Ukraine conflict continues, Google has increased account protection for those in the region considered to be at higher risk of cyberattacks or attempted account compromise. This includes enabling two-factor authentication (2FA) and promoting the Advanced Protection Program.  Google said on Twitter that its “threat intel teams continue to look out for and disrupt disinfo campaigns, hacking, and financially motivated abuse, and are working with other companies and relevant government bodies to address these threats.” In related news, Meta – formerly known as Facebook – is also attempting to combat misinformation. A number of accounts belonging to Russian state-media organizations have been blocked, and access to Russia Today (RT) and Sputnik across the European Union has been restricted.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Image: Asha Barbaschow/ZDNet
Macquarie Telecom has labelled Australia’s critical infrastructure reforms as “watered down”, warning that many data storage or processing service providers may be able to avoid regulation due to the reforms’ primary focus on “business-critical data”.”This is a significant and dangerous reduction in the scope of [Australia’s critical infrastructure laws] because business-critical data does not describe the type of information that is most commonly held by government departments and agencies nor what is crucial to the functioning of government,” the Australian cloud and data storage provider said.Macquarie Telecom’s remarks were made to the Parliamentary Joint Committee on Intelligence and Security (PJCIS), which is currently reviewing the latest critical infrastructure reforms that were introduced into Parliament last month.The reforms have so far come in the form of two pieces of legislation; the first became law in December to give government “last resort” powers to direct a critical infrastructure entity on how to intervene against cyber attacks; the second piece of legislation, which is what Macquarie Telecom has flagged as requiring amendments, looks to add requirements for critical infrastructure entities to have risk management programs in place and entities deemed “most important to the nation” to adhere to enhanced cybersecurity obligations.Unpacking Macquarie Telecom’s concerns, the company said the second piece of legislation — known as the SLACIP Bill — seeks to amend existing laws so that critical infrastructure entity requirements do not apply to data storage providers unless the government data they store or process comprises “business-critical data”. According to the company, this would result in various types of data not being covered by the regulation’s risk management program requirement. Examples of data that would not be covered by the critical infrastructure reforms are highly classified government information, the entirety of the National Archives of Australia, official company records for the Australian Security and Investments Commission, official records of deaths for a state registry office, official geophysical data, and the systems that underpin the operation of the video teleconference links used by the federal and state courts, Macquarie Telecom said.”The gaps and consequences arising from the proposed change to the definition are significant and, in the circumstances, seem absurd,” it added.In addition to not being happy about the “business-critical data” definition amendment, Macquarie Telecom said the reforms being geographically limited to Australia could create competitive disadvantages for data storage providers whose assets are based entirely in Australia. The company explained this competitive disadvantage could arise as the “jurisdictional gap” would create an incentive for all types of critical infrastructure providers and their suppliers to shift data stores and processing functions offshore where they will be beyond the scope of Australia’s critical infrastructure laws. It also said the geographic limit means that Australia’s critical infrastructure laws do not contain a mechanism to protect nationally significant critical data workloads from being transferred offshore where it could potentially be outside Australia’s jurisdiction.”The rationale for excluding critical Australian data storage and processing assets located overseas has not been explained. It is in stark contrast to the approach adopted in other laws, which expressly apply to data stored overseas,” Macquarie Telecom said.The federal government’s critical infrastructure reforms sit alongside the ransomware action plan as being its primary regulatory efforts for bolstering Australia’s cybersecurity posture. Labelled by Home Affairs Secretary Mike Pezzullo last month as the government’s “defence” against cyber threats, with the ransomware action plan forming the “offence”, he said the SLACIP Bill would ideally create a standardised critical infrastructure framework to enable Australia’s intelligence agencies to approach cyber attacks in a precautionary fashion due to the additional information it would receive. More

Image: Sean Gladwell/Getty Images
Meta, formerly known as Facebook, has now restricted access to Russian state-based media outlets Russia Today (RT) and Sputnik across the European Union.”We have received requests from a number of governments and the EU to take further steps in relation to Russian state-controlled media,” Meta VP global affairs Nick Clegg wrote in a tweet. “Given the exceptional nature of the current situation, we will be restricting access to RT and Sputnik across the EU at this time.”We will continue to work closely with governments on this issue.”The ban is in addition to restrictions the social media giant already had placed on Russian state-media accounts in Ukraine in response to Russia’s invasion into the country, which began five days ago. It comes off the back of EU Commission president Ursula von der Leyen saying the bloc would place a ban on RT and Sputnik, as well as their subsidiaries.”We will ban the Kremlin’s media machine in the EU. The state-owned Russia Today and Sputnik, and their subsidiaries, will no longer be able to spread their lies to justify Putin’s war,” she said.”We are developing tools to ban their toxic and harmful disinformation in Europe.”Meanwhile, Twitter has also taken additional steps to fight against Russian misinformation by adding labels on tweets that share links from Russian state-based media websites. Twitter will also be reducing the content’s visibility. The labels will be added to state-affiliated media outlets in the “coming weeks”, Twitter head of site integrity Yoel Roth wrote in a tweet.”We’ve learned that labelling Tweets is another way we can add helpful context to conversations around some of the most critical issues, such as COVID-19 and elections happening around the world,” he said.”This work builds on the numerous steps we’ve taken over the past week — from pausing ads in Ukraine and Russia, to launching timeline prompts with context about the crisis. We remain vigilant and will keep you updated along the way.”Microsoft has also announced measures to reduce misinformation.”We are moving swiftly to take new steps to reduce the exposure of Russian state propaganda, as well to ensure our own platforms do not inadvertently fund these operations,” the company announced in a post. “In accordance with the EU’s recent decision, the Microsoft Start platform (including MSN.com) will not display any state-sponsored RT and Sputnik content.”We are removing RT news apps from our Windows app store and further de-ranking these sites’ search results on Bing so that it will only return RT and Sputnik links when a user clearly intends to navigate to those pages. Finally, we are banning all advertisements from RT and Sputnik across our ad network and will not place any ads from our ad network on these sites.”

Ukraine Crisis

Updated at 10:49am AEST, 1 March 2022: added further information about Microsoft Start platform activation. More

Satellite communications giant Viasat said a cyberattack was causing network outages impacting internet service for fixed broadband customers in Ukraine and elsewhere on its European KA-SAT network.The California-based company, which provides high-speed satellite broadband services, told ZDNet the outages were caused by a cyberattack.”Our investigation into the outage continues, but so far we believe it was caused by a cyber event. We are investigating and analyzing our European network and systems to identify the root cause and are taking additional network precautions to prevent further impacts while we attempt to recover service to affected customers,” said Christina Phillips, vice president of public relations at Viasat.”Law enforcement and government partners have been notified and are assisting in the ongoing investigation, along with a third-party cybersecurity firm. The investigation is ongoing, but to date, we have no indication that customer data is involved.”Netblocks shared information and graphs showing that the incident began on February 24 and has continued since then. 
Netblocks
Many have pointed out that the incident began on the same day that Russia invaded Ukraine. News outlet PaxEx.Aero said intv.cz, one of the ISPs impacted by the outage, claimed there was an “attack” on the ground infrastructure for KA-SAT in Ukraine that managed to spread. Another ISP, Germany-based EUSANET, also said it was experiencing outages in a statement to PaxEx.Aero. British news outlet Sky News reported that an insider told them the outages were caused by a distributed denial of service (DDoS) attack.  More

Microsoft says it found a new malware package — which it calls “FoxBlade” — hours before Russia began its invasion of Ukraine on February 24. In a blog post, Microsoft president Brad Smith said it was coordinating its efforts to protect users in Ukraine with the Ukrainian government, the European Union, European nations, the US government, NATO, and the United Nations.

Ukraine Crisis

“Several hours before the launch of missiles or movement of tanks on February 24, Microsoft’s Threat Intelligence Center (MSTIC) detected a new round of offensive and destructive cyberattacks directed against Ukraine’s digital infrastructure. We immediately advised the Ukrainian government about the situation, including our identification of the use of a new malware package (which we denominated FoxBlade), and provided technical advice on steps to prevent the malware’s success,” Smith said. “In recent days, we have provided threat intelligence and defensive suggestions to Ukrainian officials… This work is ongoing.”Smith noted that the cyberattacks on Ukraine seen by Microsoft have been extremely targeted and not as wide-ranging as the 2017 NotPetya attack. But Smith said Microsoft has seen recent cyberattacks on “Ukrainian civilian digital targets, including the financial sector, agriculture sector, emergency response services, humanitarian aid efforts, and energy sector organizations and enterprises.”Microsoft has also told Ukraine’s government about efforts to steal data from government sources, including healthcare information, insurance data, transportation data, and other personally identifiable information. In addition to its efforts to help Ukraine with cybersecurity measures, Microsoft said it is also taking steps “to reduce the exposure of Russian state propaganda, as well to ensure our own platforms do not inadvertently fund these operations.””In accordance with the EU’s recent decision, the Microsoft Start platform (including MSN.com) will not display any state-sponsored RT and Sputnik content. We are removing RT news apps from our Windows app store and further de-ranking these sites’ search results on Bing so that it will only return RT and Sputnik links when a user clearly intends to navigate to those pages,” Smith said.”Finally, we are banning all advertisements from RT and Sputnik across our ad network and will not place any ads from our ad network on these sites.'”We are also focused as a company in protecting against state-sponsored disinformation campaigns, which have long been commonplace in times of war. The past few days have seen kinetic warfare accompanied with a well-orchestrated battle ongoing in the information ecosystem where the ammunition is disinformation, undermining truth and sowing seeds of discord and distrust. This requires decisive efforts across the tech sector – both individually by companies and in partnership with others – as well as with governments, academia and civil society.”Smith added that Microsoft is working with the International Committee of the Red Cross (ICRC) and multiple UN agencies on refugee support efforts.  More

CISOs and their teams in Europe and worldwide are either already experiencing cybersecurity impacts from the war in Ukraine and the sanctions imposed on Russian and Belarusian actors — or they soon will. If you haven’t already, here are the cybersecurity-related steps to take right now, plus some pitfalls to avoid.  At the risk of stating the obvious, follow current advice from your national cybersecurity authority. The US Cybersecurity and Infrastructure Security Agency (CISA) has already warned of increased attacks on critical infrastructure and defense industrial bases through their Shields Up initiative. This is the best place to receive up-to-date information from CISA on the current state of the conflict. In the UK, the National Cyber Security Centre (NCSC) has published specific steps to undertake in the current heightened threat landscape. Other agencies such as the European Union Agency for Cybersecurity (ENISA), the Federal Office for Information Security (BSI) in Germany, and the National Cybersecurity Agency (ANSSI) in France have warned of the situation, and an EU cyber unit has been deployed to assist Ukraine. The Australian Cyber Security Centre also provided guidance via an urgent alert when the Australian government placed sanctions on Russia on February 23. In the absence of specific information from your national cybersecurity authority, use the guidance we’ve linked here. Reach out to government contacts. Make sure you have a stable contact within the government in each country where you have a large operation that you can reach out to in the event of an incident or for updates on the current situation. In the United States, InfraGard coordinates information sharing with critical infrastructure providers. In the UK, review information provided by the UK National Cyber Security Centre’s (NCSC) Critical National Infrastructure hub and its equivalents in Europe. For EU-based organizations, speak to your local CSIRT (computer security incident response team) and CERT (computer emergency response team) contacts. (Find a full listing here.) Initiate a “request for intelligence” from your threat intelligence vendor. Ideally, this is an existing part of your contract — but it’ll be worth it even if you must pay an additional fee. Explain the target audience for the report so that your vendor will produce information at the right altitude (for your board of directors, for your security team, etc.). The request for intelligence should go beyond the normal overviews your vendor provides, and it should include specifics related to your vertical industry and operating locations. Further, it should give you information on threat actors of concern and on the tactics, techniques, and procedures (TTPs) that those threat actors use. Brief your senior stakeholders ahead of the news cycle on the threat environment and risk. Cybersecurity incidents that achieve media prominence have a habit of alarming senior executives and board members, resulting in a cascade of panicked questions to you and your team. Don’t be caught unawares, as such requests can consume precious time that you will need to deal with a potential incident. Prepare a brief in advance, and make it as factual as possible about the overall external threat and situation, the potential impact on your organization, and the overall risk to the business. Take the opportunity to remind your executives what tactical activities you are undertaking to deal with the immediate issues, as well as how your strategy will serve to prepare for such events, now and in the future. Collaborate with your security vendors. Your organization’s security vendors need to take a proactive role in your preparations for cyber conflict and defense in depth. Rely on your vendor account representatives; they’re incentivized to ensure that you receive the proper level of care contractually or specific to that technology. For product vendors, confirm turnaround time and automation options for ruleset and patch updates; for managed services, clarify their processes and communication channels. You should already be receiving communications from your vendors regarding the conflict in Ukraine. If you have yet to receive updates, reach out directly to the vendor, your rep, the support team, etc. Pay particular attention to vendors that were less responsive during Log4Shell, because two subpar performances during a crisis make an unpleasant pattern. Do not attempt to predict what nation-states will do. The world’s intelligence agencies have done a remarkable job of coming together and sharing intelligence to limit misinformation and disinformation. They have the information you — and we — do not have, and they still miss things. Focus on preparation and on improving your firm’s resilience rather than trying to predict what will happen next. You can’t prepare for cyberattacks when they’re already happening, so don’t try. Dentists will tell you that “you can’t cram for a dental exam,” and this is similar; it’s too late to initiate widespread technology changes. That’s why cybersecurity is a program and why readiness and preparedness are so important. If there are adjustments you can make after a recent tabletop session to processes or communication, make them — and update your documentation accordingly. Here’s What To Do Next After you’ve completed the above steps, here’s your next checklist to follow: Be ready for more misinformation and disinformation. Misinformation and disinformation featured heavily in the lead-up to this conflict. Allegations of staged cabinet meetings well after decisions were made are one example. On February 3, the US predicted that Russia would use graphic fake videos as a pretext for invasion. Open source intelligence researchers analyzed a video that surfaced two weeks later proving the US correct. These videos serve two purposes: to bolster internal sentiment for invasion and distort narratives abroad. In France, India, the UK, and the US, respondents to our March 2021 Global Trust Imperative Survey trusted their employers more than their national and local government leaders. This means that the information your security team provides carries considerable weight. So, keep your incident response plans and their communication elements handy. Consider secure communications tools for security, privacy, and reliability. Firms concerned about the security and privacy of business communications — such as eavesdropping, communications metadata exposure, data loss, or non-compliance — over traditional channels can take steps to protect corporate communications. Employees in and around Ukraine may also face disruptions to communications infrastructure. Encrypted messaging and calling solutions like Element, KoolSpan, and Wickr work in low-bandwidth environments. And these tools aren’t one-off investments; you can use them to protect your everyday communications and as out-of-band communications channels during incident responses and to provide traveling executives with enhanced security. Build your incident responder ranks. If you’ve been looking to create a path for advancement for your high-performing security operations center (SOC) analysts or security engineers, now is the time. Many incident response service providers offer training for internal teams on response actions, forensic investigations, and evidence collection. A targeted attack usually results in a complex, protracted response. Work with your provider to develop a training plan that creates a bench of capable understudies on the promotion path so that you can allow your key responders to rest and avoid burnout. Pay attention to device and software hygiene. This may seem like a no-brainer, especially given typical C2C (comply to connect) policies, but this is a critical time to get your devices, endpoints, and applications fully patched and up to date. Prioritize critical vulnerabilities and any vulnerabilities with a known exploit, but don’t neglect highs and mediums; an unrelated attacker who has been hoarding a backlog of exploits might well decide to use them while the world is preoccupied with the war in Ukraine. In addition, consider a tabletop exercise around responding to and patching a new zero day. This post was written by Principal Analyst Paul McKay and it originally appeared here.  

Ukraine Crisis More