Ukraine attack update: experts find strategic similarities with NotPetya
Latest analysis into the wiper malware that targeted dozens of Ukrainian agencies while disguised as ransomware has revealed “strategic similarities” to NotPetya, the malware that was unleashed against the country’s infrastructure and elsewhere in 2017. This new malware, dubbed WhisperGate, was discovered by Microsoft last week, which said it observed the campaign targeting government, non-profit, and information technology entities in the nation. Cisco Talos adds, “While WhisperGate has some strategic similarities to the notorious NotPetya wiper, including masquerading as ransomware and targeting and destroying the master boot record (MBR) instead of encrypting it, it notably has more components designed to inflict additional damage.”
Molerats use Google Drive and Dropbox as attack infrastructure
In December 2021, ThreatLabz researchers identified several macro-based MS office files used in attacks against entities in the Middle East. The bait files, employed in cyber espionage attacks, contain decoy themes related to geo-political conflicts between Israel and Palestine. Similar bait files had been used in previous cyberespionage campaigns attributed to the Molerats APT group, an Arabic-speaking, politically motivated group of hackers that has been active since 2012. Cloud services including Google Drive and Dropbox are being used to host the malicious payloads or for command-and-control infrastructure.
Senators introduce bill to protect satellites from getting hacked
The Satellite Cybersecurity Act would empower CISA to develop voluntary satellite cybersecurity recommendations for the private sector, essentially providing a list of best practices for how to keep systems secure. The bill would also require the U.S. Government Accountability Office to conduct a study that looks at the ways the federal government currently supports cybersecurity for the commercial satellite industry. “As commercial satellites become more pervasive, hackers could shut satellites down, denying access to their service or jam signals to disrupt electric grids, water networks, transportation systems, and other critical infrastructure,” reads a press release from the U.S. Senate Committee on Homeland Security and Governmental Affairs, which announced the bill’s introduction on Wednesday.
(Gizmodo)
McAfee Agent bug lets hackers run code with Windows SYSTEM privileges
McAfee Enterprise (now rebranded as Trellix) has patched this security vulnerability discovered in the company’s McAfee Agent software for Windows. McAfee Agent is a client-side component of McAfee ePolicy Orchestrator that downloads and enforces endpoint policies and deploys antivirus signatures, upgrades, patches, and new products on enterprise endpoints. While only exploitable locally, threat actors commonly exploit this type of security flaw during later stages of their attacks, after infiltrating the target machine to elevate permissions for gaining persistence and further compromising the system.
Thanks to our episode sponsor, deepwatch
Increasing ransomware attacks and their evolving sophistication have been putting more pressure on security teams than ever before. Luckily, managed detection and response (or MDR) has emerged as a critical component for improving security operations, reducing ransomware risk, and minimizing the overall impact an attack can have. Visit deepwatch.com to see how we help to prevent breaches for our customers, by working together.
CISA adds 17 vulnerabilities to list of bugs exploited in attacks
The Known Exploited Vulnerabilities Catalog is a list of vulnerabilities that have been seen abused by threat actors in attacks and that are required to be patched by Federal Civilian Executive Branch (FCEB) agencies. With the addition of these 17 vulnerabilities, the catalog now contains a total of 341 vulnerabilities and includes the date by which agencies must apply security updates to resolve the bug. Included in this list is the bugs alleged to have hacked Ukraine government offices, and the SolarWinds Serv-U Improper Input Validation bug.”
Merck wins NotPetya cyber-insurance lawsuit
Speaking of NotPetya, a New Jersey court has ruled in favor of pharmaceutical company Merck in a lawsuit the filed against its insurer, Ace American, which declined to cover the losses caused by the NotPetya ransomware attack. The incident, which took place in June 2017 and impacted thousands of companies all over the world, destroyed data on more than 40,000 Merck computers and took the company months to recover. Merck estimated the damage at $1.4 billion, a loss caused by production outage, costs to hire IT experts, and costs of buying new equipment to replace all affected systems. Ace American had refused to cover the losses, citing that the NotPetya attack was subject to the standard “Acts of War” exclusion clause that is present in most insurance contracts. But Merck argued in court that the attack was not “an official state action,” hence the Acts of War clause should not apply. The court agreed. Several insurers have recently updated the language of their “Acts of War” exclusion clauses.
MoonBounce UEFI bootkit can’t be removed by replacing the hard drive
Security researchers from Kaspersky said on Thursday that they had discovered a novel bootkit that can infect a computer’s UEFI firmware. Named MoonBounce the malware doesn’t burrow and hide inside the ESP section of the hard drive but instead it infects the SPI memory that is found on the motherboard. This means that, unlike similar bootkits, defenders can’t reinstall the operating system and replace the hard drive, as the bootkit will continue to remain on the infected device until the SPI memory is re-flashed (a very complex process) or the motherboard is replaced.
OK, now we have to worry about brainjacking
Brainjacking is a kind of cyberattack in which a hacker obtains unauthorized access to neural implants in a human body. Hacking surgically implanted devices in a human brain could allow an attacker to control the patient’s cognition and functions. With multiple intrusions and attacks on connected medical devices, the health care providers continued to be the primary target for cybercriminals. In line with research, around 83% of connected medical devices are at security risks for running on outdated software. Researchers from Oxford Functional Neurosurgery warn of blind attacks which could cause severe damage to implants, including cessation of stimulation, draining implant batteries, inducing tissue damage, information theft, impairment of motor function, alteration of impulse control, modification of emotions, and induction of pain.
(CISOMag)