Information Technology

Satellite communications giant Viasat said a cyberattack was causing network outages impacting internet service for fixed broadband customers in Ukraine and elsewhere on its European KA-SAT network.The California-based company, which provides high-speed satellite broadband services, told ZDNet the outages were caused by a cyberattack.”Our investigation into the outage continues, but so far we believe it was caused by a cyber event. We are investigating and analyzing our European network and systems to identify the root cause and are taking additional network precautions to prevent further impacts while we attempt to recover service to affected customers,” said Christina Phillips, vice president of public relations at Viasat.”Law enforcement and government partners have been notified and are assisting in the ongoing investigation, along with a third-party cybersecurity firm. The investigation is ongoing, but to date, we have no indication that customer data is involved.”Netblocks shared information and graphs showing that the incident began on February 24 and has continued since then. 
Netblocks
Many have pointed out that the incident began on the same day that Russia invaded Ukraine. News outlet PaxEx.Aero said intv.cz, one of the ISPs impacted by the outage, claimed there was an “attack” on the ground infrastructure for KA-SAT in Ukraine that managed to spread. Another ISP, Germany-based EUSANET, also said it was experiencing outages in a statement to PaxEx.Aero. British news outlet Sky News reported that an insider told them the outages were caused by a distributed denial of service (DDoS) attack.  More

Microsoft says it found a new malware package — which it calls “FoxBlade” — hours before Russia began its invasion of Ukraine on February 24. In a blog post, Microsoft president Brad Smith said it was coordinating its efforts to protect users in Ukraine with the Ukrainian government, the European Union, European nations, the US government, NATO, and the United Nations.

Ukraine Crisis

“Several hours before the launch of missiles or movement of tanks on February 24, Microsoft’s Threat Intelligence Center (MSTIC) detected a new round of offensive and destructive cyberattacks directed against Ukraine’s digital infrastructure. We immediately advised the Ukrainian government about the situation, including our identification of the use of a new malware package (which we denominated FoxBlade), and provided technical advice on steps to prevent the malware’s success,” Smith said. “In recent days, we have provided threat intelligence and defensive suggestions to Ukrainian officials… This work is ongoing.”Smith noted that the cyberattacks on Ukraine seen by Microsoft have been extremely targeted and not as wide-ranging as the 2017 NotPetya attack. But Smith said Microsoft has seen recent cyberattacks on “Ukrainian civilian digital targets, including the financial sector, agriculture sector, emergency response services, humanitarian aid efforts, and energy sector organizations and enterprises.”Microsoft has also told Ukraine’s government about efforts to steal data from government sources, including healthcare information, insurance data, transportation data, and other personally identifiable information. In addition to its efforts to help Ukraine with cybersecurity measures, Microsoft said it is also taking steps “to reduce the exposure of Russian state propaganda, as well to ensure our own platforms do not inadvertently fund these operations.””In accordance with the EU’s recent decision, the Microsoft Start platform (including MSN.com) will not display any state-sponsored RT and Sputnik content. We are removing RT news apps from our Windows app store and further de-ranking these sites’ search results on Bing so that it will only return RT and Sputnik links when a user clearly intends to navigate to those pages,” Smith said.”Finally, we are banning all advertisements from RT and Sputnik across our ad network and will not place any ads from our ad network on these sites.'”We are also focused as a company in protecting against state-sponsored disinformation campaigns, which have long been commonplace in times of war. The past few days have seen kinetic warfare accompanied with a well-orchestrated battle ongoing in the information ecosystem where the ammunition is disinformation, undermining truth and sowing seeds of discord and distrust. This requires decisive efforts across the tech sector – both individually by companies and in partnership with others – as well as with governments, academia and civil society.”Smith added that Microsoft is working with the International Committee of the Red Cross (ICRC) and multiple UN agencies on refugee support efforts.  More

CISOs and their teams in Europe and worldwide are either already experiencing cybersecurity impacts from the war in Ukraine and the sanctions imposed on Russian and Belarusian actors — or they soon will. If you haven’t already, here are the cybersecurity-related steps to take right now, plus some pitfalls to avoid.  At the risk of stating the obvious, follow current advice from your national cybersecurity authority. The US Cybersecurity and Infrastructure Security Agency (CISA) has already warned of increased attacks on critical infrastructure and defense industrial bases through their Shields Up initiative. This is the best place to receive up-to-date information from CISA on the current state of the conflict. In the UK, the National Cyber Security Centre (NCSC) has published specific steps to undertake in the current heightened threat landscape. Other agencies such as the European Union Agency for Cybersecurity (ENISA), the Federal Office for Information Security (BSI) in Germany, and the National Cybersecurity Agency (ANSSI) in France have warned of the situation, and an EU cyber unit has been deployed to assist Ukraine. The Australian Cyber Security Centre also provided guidance via an urgent alert when the Australian government placed sanctions on Russia on February 23. In the absence of specific information from your national cybersecurity authority, use the guidance we’ve linked here. Reach out to government contacts. Make sure you have a stable contact within the government in each country where you have a large operation that you can reach out to in the event of an incident or for updates on the current situation. In the United States, InfraGard coordinates information sharing with critical infrastructure providers. In the UK, review information provided by the UK National Cyber Security Centre’s (NCSC) Critical National Infrastructure hub and its equivalents in Europe. For EU-based organizations, speak to your local CSIRT (computer security incident response team) and CERT (computer emergency response team) contacts. (Find a full listing here.) Initiate a “request for intelligence” from your threat intelligence vendor. Ideally, this is an existing part of your contract — but it’ll be worth it even if you must pay an additional fee. Explain the target audience for the report so that your vendor will produce information at the right altitude (for your board of directors, for your security team, etc.). The request for intelligence should go beyond the normal overviews your vendor provides, and it should include specifics related to your vertical industry and operating locations. Further, it should give you information on threat actors of concern and on the tactics, techniques, and procedures (TTPs) that those threat actors use. Brief your senior stakeholders ahead of the news cycle on the threat environment and risk. Cybersecurity incidents that achieve media prominence have a habit of alarming senior executives and board members, resulting in a cascade of panicked questions to you and your team. Don’t be caught unawares, as such requests can consume precious time that you will need to deal with a potential incident. Prepare a brief in advance, and make it as factual as possible about the overall external threat and situation, the potential impact on your organization, and the overall risk to the business. Take the opportunity to remind your executives what tactical activities you are undertaking to deal with the immediate issues, as well as how your strategy will serve to prepare for such events, now and in the future. Collaborate with your security vendors. Your organization’s security vendors need to take a proactive role in your preparations for cyber conflict and defense in depth. Rely on your vendor account representatives; they’re incentivized to ensure that you receive the proper level of care contractually or specific to that technology. For product vendors, confirm turnaround time and automation options for ruleset and patch updates; for managed services, clarify their processes and communication channels. You should already be receiving communications from your vendors regarding the conflict in Ukraine. If you have yet to receive updates, reach out directly to the vendor, your rep, the support team, etc. Pay particular attention to vendors that were less responsive during Log4Shell, because two subpar performances during a crisis make an unpleasant pattern. Do not attempt to predict what nation-states will do. The world’s intelligence agencies have done a remarkable job of coming together and sharing intelligence to limit misinformation and disinformation. They have the information you — and we — do not have, and they still miss things. Focus on preparation and on improving your firm’s resilience rather than trying to predict what will happen next. You can’t prepare for cyberattacks when they’re already happening, so don’t try. Dentists will tell you that “you can’t cram for a dental exam,” and this is similar; it’s too late to initiate widespread technology changes. That’s why cybersecurity is a program and why readiness and preparedness are so important. If there are adjustments you can make after a recent tabletop session to processes or communication, make them — and update your documentation accordingly. Here’s What To Do Next After you’ve completed the above steps, here’s your next checklist to follow: Be ready for more misinformation and disinformation. Misinformation and disinformation featured heavily in the lead-up to this conflict. Allegations of staged cabinet meetings well after decisions were made are one example. On February 3, the US predicted that Russia would use graphic fake videos as a pretext for invasion. Open source intelligence researchers analyzed a video that surfaced two weeks later proving the US correct. These videos serve two purposes: to bolster internal sentiment for invasion and distort narratives abroad. In France, India, the UK, and the US, respondents to our March 2021 Global Trust Imperative Survey trusted their employers more than their national and local government leaders. This means that the information your security team provides carries considerable weight. So, keep your incident response plans and their communication elements handy. Consider secure communications tools for security, privacy, and reliability. Firms concerned about the security and privacy of business communications — such as eavesdropping, communications metadata exposure, data loss, or non-compliance — over traditional channels can take steps to protect corporate communications. Employees in and around Ukraine may also face disruptions to communications infrastructure. Encrypted messaging and calling solutions like Element, KoolSpan, and Wickr work in low-bandwidth environments. And these tools aren’t one-off investments; you can use them to protect your everyday communications and as out-of-band communications channels during incident responses and to provide traveling executives with enhanced security. Build your incident responder ranks. If you’ve been looking to create a path for advancement for your high-performing security operations center (SOC) analysts or security engineers, now is the time. Many incident response service providers offer training for internal teams on response actions, forensic investigations, and evidence collection. A targeted attack usually results in a complex, protracted response. Work with your provider to develop a training plan that creates a bench of capable understudies on the promotion path so that you can allow your key responders to rest and avoid burnout. Pay attention to device and software hygiene. This may seem like a no-brainer, especially given typical C2C (comply to connect) policies, but this is a critical time to get your devices, endpoints, and applications fully patched and up to date. Prioritize critical vulnerabilities and any vulnerabilities with a known exploit, but don’t neglect highs and mediums; an unrelated attacker who has been hoarding a backlog of exploits might well decide to use them while the world is preoccupied with the war in Ukraine. In addition, consider a tabletop exercise around responding to and patching a new zero day. This post was written by Principal Analyst Paul McKay and it originally appeared here.  

Ukraine Crisis More

As cloud rises to encompass to more corporate applications, data and processes, there’s potential for end-users to outsource their security to providers as well. 

The need to take control of security and not turn ultimate responsibility over to cloud providers is taking hold among many enterprises, an industry survey suggests. The Cloud Security Alliance, which released its survey of 241 industry experts, identified an “Egregious 11” cloud security issues.  The survey’s authors point out that many of this year’s most pressing issues put the onus of security on end user companies, versus relying on service providers. “We noticed a drop in ranking of traditional cloud security issues under the responsibility of cloud service providers. Concerns such as denial of service, shared technology vulnerabilities, and CSP data loss and system vulnerabilities — which all featured in the previous ‘Treacherous 12’ —  were now rated so low they have been excluded in this report. These omissions suggest that traditional security issues under the responsibility of the CSP seem to be less of a concern. Instead, we’re seeing more of a need to address security issues that are situated higher up the technology stack that are the result of senior management decisions.”  This aligns with another recent survey from Forbes Insights and VMware, which finds that proactive companies are resisting the temptation to turn security over to their cloud providers — only 31% of leaders report turning over many security measures to cloud providers. (I helped design and author the survey report.) Still, 94% are employing cloud services for some aspects of security.   The latest CSA report highlights this year’s leading concerns:  1. Data breaches. “Data is becoming the main target of cyber attacks,”.the report’s authors point out. “Defining the business value of data and the impact of its loss is essential important for organizations that own or process data.” In addition, “protecting data is evolving into a question of who has access to it,” they add. “Encryption techniques can help protect data, but negatively impacts system performance while making applications less user-friendly.”  2. Misconfiguration and inadequate change control. “Cloud-based resources are highly complex and dynamic, making them challenging to configure. Traditional controls and change management approaches are not effective in the cloud.” The authors state “companies should embrace automation and employ technologies that scan continuously for misconfigured resources and remediate problems in real time.” 3. Lack of cloud security architecture and strategy. “Ensure security architecture aligns with business goals and objectives. Develop and implement a security architecture framework.” 4. Insufficient identity, credential, access and key management. “Secure accounts, inclusive to two-factor authentication and limited use of root accounts. Practice the strictest identity and access controls for cloud users and identities.” 5. Account hijacking. This is a threat that must be taken seriously. “Defense-in-depth and IAM controls are key in mitigating account hijacking.” 6. Insider threat. “Taking measures to minimize insider negligence can help mitigate the consequences of insider threats. Provide training to your security teams to properly install, configure, and monitor your computer systems, networks, mobile devices, and backup devices.” The CSA authors also urge “regular employee training awareness. Provide training to your regular employees to inform them how to handle security risks, such as phishing and protecting corporate data they carry outside the company on laptops and mobile devices.” 7. Insecure interfaces and APIs. “Practice good API hygiene. Good practice includes diligent oversight of items such as inventory, testing, auditing, and abnormal activity protections.” Also, “consider using standard and open API frameworks (e.g., Open Cloud Computing Interface (OCCI) and Cloud Infrastructure Management Interface (CIMI)).” 8. Weak control plane. “The cloud customer should perform due diligence and determine if the cloud service they intend to use possesses an adequate control plane.”9. Metastructure and applistructure failures. “Cloud service providers must offer visibility and expose mitigations to counteract the cloud’s inherent lack of transparency for tenants. All CSPs should conduct penetration testing and provide findings to customers.” 10. Limited cloud usage visibility. “Mitigating risks starts with the development of a complete cloud visibility effort from the top down. Mandate companywide training on accepted cloud usage policies and enforcement thereof.  All non-approved cloud services must be reviewed and approved by the cloud security architect or third-party risk management.” 11. Abuse and nefarious use of cloud services. “Enterprises should monitor their employees in the cloud, as traditional mechanisms are unable to mitigate the risks posed by cloud service usage.” More

Google detailed a series of measures it’s taking to help those impacted by the ongoing Russian invasion of Ukraine deal with associated cyber threats and privacy risks. 

Ukraine Crisis

In a lengthy Twitter thread, Google Europe ran through a list of measures it’s taking to automatically safeguard accounts, as well as measures users themselves can take to increase their privacy and security through freely available account features. First, the company made it clear that it is actively attempting to “look out for and disrupt disinfo campaigns, hacking, and financially motivated abuse” surrounding the conflict. This effort includes collaborations with other companies and “relevant government bodies” to address rising threats. On an individual level, Google has automatically increased account security protections for people in the regions affected by the conflict. This includes measures like enabling two-factor authentication (2FA) for users that didn’t already have it activated and promoting the use of its Advanced Protection Program. The Advanced Protection Program offers extra safeguards for individuals that believe they may have higher-than-normal risks of being targeted by bad actors. The obvious correlation here would be any Ukrainian government officials, journalists, and anyone else that may be targeted by nationally sponsored or freelance hackers. For users in the conflict zone, as well as those browsing information about it, Google has enabled Safe Browsing mode by default, this will identify known phishing and malware insertion attempts from around the web for users on any of its Chrome browsers or branded sites and services. Users wishing additional protection against malicious downloads can also access Google’s free VirusTotal service, which analyzes files for suspicious data or URLs, including the recently discovered wiper malware already known to be targeting individuals in Ukraine and Latvia. Lastly, the company details a series of ongoing efforts to combat misinformation and propaganda campaigns, including tweaking YouTube to surface “videos from trusted news sources,” and removing “hundreds of channels & thousands of videos” that provided “violative misinformation.” Similarly, all ads attempting to exploit the crisis will be blocked. However, Google is simultaneously donating $2 million worth of ad space to humanitarian organizations to help “connect people on the ground searching for resources with information.” 

ZDNet Recommends More

The Cybersecurity and Infrastructure Security Agency (CISA) and FBI released new guidance on the WhisperGate and HermeticWiper malware strains in a joint advisory this weekend. The government agencies warned US organizations and companies to look out for WhisperGate and HermeticWiper after they were seen being used against organizations in Ukraine in the run-up to Russia’s invasion of the country. Both CISA and the FBI reiterated that there is no specific threat against US organizations. “In the wake of continued denial of service and destructive malware attacks affecting Ukraine and other countries in the region, CISA has been working hand-in-hand with our partners to identify and rapidly share information about malware that could threaten the operations of critical infrastructure here in the US,” said CISA Director Jen Easterly. “Our public and private sector partners in the Joint Cyber Defense Collaborative (JCDC), international computer emergency readiness team (CERT) partners, and our long-time friends at the FBI are all working together to help organizations reduce their cyber risk.”  CISA urged US organizations to take measures to protect themselves by enabling multifactor authentication, deploying antivirus and antimalware programs, enabling spam filters, updating all software and filtering network traffic. The joint Advisory, “Destructive Malware Targeting Organizations in Ukraine,” comes as CISA expanded its Shields Up webpage to include new services and resources, recommendations for corporate leaders and actions to protect critical assets.   CISA has also created a new Shields Up Technical Guidance webpage that provides more details on other cyberattacks facing Ukraine and technical resources to deal with threats. “The FBI alongside our federal partners continues to see malicious cyber activity that is targeting our critical infrastructure sector,” said FBI Cyber Division Assistant Director Bryan Vorndran. “We are striving to disrupt and diminish these threats, however we cannot do this alone, we continue to share information with our public and private sector partners and encourage them to report any suspicious activity. We ask that organizations continue to shore up their systems to prevent any increased impediment in the event of an incident.” Dozens of systems within at least two Ukrainian government agencies were wiped during a cyberattack using WhisperGate in January. Microsoft released a detailed blog about WhisperGate and said it was first discovered on January 13. Multiple security companies have released guidance and examinations of the malware since it emerged. In a follow-up examination of WhisperGate, security company CrowdStrike said the malware aims “to irrevocably corrupt the infected hosts’ data and attempt to masquerade as genuine modern ransomware operations.” “However, the WhisperGate bootloader has no decryption or data-recovery mechanism and has inconsistencies with malware commonly deployed in ransomware operations,” CrowdStrike explained.”The activity is reminiscent of VOODOO BEAR’s destructive NotPetya malware, which included a component impersonating the legitimate chkdsk utility after a reboot and corrupted the infected host’s Master File Table (MFT) — a critical component of Microsoft’s NTFS file system. However, the WhisperGate bootloader is less sophisticated, and no technical overlap could currently be identified with VOODOO BEAR operations.”Kitsoft, the company that built about 50 of Ukraine’s government websites, said that it discovered WhisperGate malware on its systems too.  More

The Computer Emergency Response Team for Ukraine (CERT-UA) has warned of ongoing phishing and Ghostwriter activities attacking organizations in the country. 

Ukraine Crisis

On February 26, CERT-UA said it continues to track the movements of UNC1151/Ghostwriter, which is currently attacking targets in Ukraine, Poland, Belarus, and Russia. Ghostwriter is believed to be of Belarusian origin. According to the security agency, its members are officers of the Ministry of Defence of the Republic of Belarus.  Cybersecurity firm Mandiant has been tracking campaigns supported by UNC1151. In particular, the company says that “technical support” is provided to Ghostwriter campaigns and the Belarus government has been accused of being at least “partially responsible” for the activities of these cyberattackers.  The European Council has previously accused Russia of having a part to play in Ghostwriter campaigns.  Ghostwriter is said to align with Belarus state interests. Past activities have included promoting anti-NATO material through misinformation networks, spoofing, and website hijacking, as well as targeting Belarusian media outlets and individuals prior to the 2020 election.  “Ghostwriter narratives, particularly those critical of neighboring governments, have been featured on Belarusian state television as fact,” Mandiant says.  According to CERT-UA, Ghostwriter cyberattacks have been recorded against the World Association of Belarusians, Belarusian Music Festival, literature and arts magazine Dziejaslou, Belarusian newspaper Sovetskaya Belorussiya, employees of the National Academy of Sciences of Belarus, and the Voice of Motherland newspaper.  In addition, the agency warns that passport[.]command-email.online is an active phishing domain being used by the threat group. CERT-UA has been publishing frequent threat intelligence since the start of the Russia-Ukraine conflict. CERT-UA has also warned of mass phishing emails being sent by UNC1151 to “Ukrainian military personnel and related individuals” using email accounts with ‘i.ua’ and ‘meta.ua’ addresses.  A sample phishing message is below: “Dear user! Your contact information or not you are a spam bot. Please, click the link below and verify your contact information. Otherwise, your account will be irretrievably deleted. Thank you for your understanding. Regards, I.UA Team.” On Monday, the National Security and Defense Council of Ukraine (NSDC/RNBO) also reported calls and phishing attempts made to obtain information from targets by pretending to be the post office of the Security Service of Ukraine (SBU).  The Cyber Police Department of the National Police of Ukraine reports that fake phishing emails are also being sent that are masked as evacuation notices. In related news, hacktivist collective Anonymous says it has become involved in the conflict, claiming that it is responsible for the defacement of Russian government websites and a takedown of the state news outlet RT. RT and other state-funded media organizations have since been banned from generating revenue through ads by Google’s search and YouTube units.  On February 28, the TASS Russian news outlet appeared to suffer from a cyberattack and visitors were temporarily unable to access the website. Anonymous, or someone claiming to be part of the collective, claimed responsibility.  Meta, formerly known as Facebook, has restricted access to some accounts owned by Russian state media organizations. Meta’s Head of Security Policy Nathaniel Gleicher and Director of Threat Disruption David Agranovich said on February 27 that a network operated by people in Russia — and Ukraine — was targeting Ukraine with fake news and propaganda.  According to the firm, there has also been “increased targeting” of the Ukrainian military and public figures by Ghostwriter.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Microsoft has warned Windows 10 and Windows 11 users that files might not be deleted after resetting the device using the “Remove everything” option. The issue stems from Microsoft’s OneDrive cloud file service and could mean files that were synced locally remain on a computer after a local or remote reset, which admins might do before handing the device to a new owner.  

ZDNet Recommends

This issue can occur when attempting a manual reset from Windows or a remote reset from Intune or other mobile device management platforms, Microsoft warns.SEE: Best Windows laptop: Top notebooks compared”When attempting to reset a Windows device with apps which have folders with reparse data, such as OneDrive or OneDrive for Business, files which have been downloaded or synced locally from OneDrive might not be deleted when selecting the “Remove everything” option,” Microsoft says in an update to its known issues for Windows 11 21H2.  “OneDrive files which are “cloud only” or have not been downloaded or opened on the device are not affected and will not persist, as the files are not downloaded or synced locally.”Microsoft notes that some device manufacturers and some documentation might call the feature to reset a device, “Push Button Reset”, “PBR”, “Reset This PC”, “Reset PC”, or “Fresh Start”.Via BleepingComputer, the issue was discovered by Microsoft MVP Rudy Ooms, who found that user data was still readable in the “Windows.old” folder after completing a remote or local wipe of a Windows 10 device. Ooms details his findings in a blog post, including that data encrypted with Bitlocker is moved in clear form to the Windows.old folder after a Windows reset.Windows.old is a folder containing the previous version of Windows on a device. The issue affects Windows 11, version 21H2; Windows 10, version 21H2; Windows 10, version 21H1; and Windows 10, version 20H2, according to Microsoft.  The company is working on a fix for an upcoming release but in the mean time it does have a workaround for the file-persisting issue.  Admins can prevent the issue by by signing out or unlinking OneDrive before resetting a Windows device. Microsoft provides instructions to do this in the “Unlink OneDrive” section in the support page, Turn off, disable, or uninstall OneDrive.Users can also mitigate the issue on devices that have been reset by using the Windows feature Storage Sense in the Settings app. Storage Sense can be used to delete the Windows.old folder. Microsoft provides instructions for doing that in the support page KB5012334.  More