CISA says Russia’s Fancy Bear infiltrated US satellite network
Researchers at CISA recently discovered what they suspect to be Russian hackers inside a U.S. satellite network, reinforcing a threat made by Moscow with regard to its intentions to infiltrate and disrupt the space economy. Although details are still forthcoming, the group considered responsible is Fancy Bear (aka APT28). The satellite network intrusion came from the exploitation of a 2018 vulnerability found in an unpatched virtual private network, giving its hackers the ability to scrape all the credentials with active sessions.
Google introduces end-to-end encryption for Gmail on the web
Google made the announcement on Friday that allows enrolled Google Workspace users to send and receive encrypted emails within and outside their domain. This adds to the client-side encryption already available for users of Google Drive, Google Docs, Sheets, Slides, Google Meet, and Google Calendar (beta). Gmail client-side encryption will “ensure that any sensitive data delivered as part of the email’s body and attachments (including inline images) cannot be decrypted by Google servers. But the email header (including subject, timestamps, and recipients lists) will not be encrypted.”
NSA cyber director warns of Russian digital assaults on global energy sector
Rob Joyce said Thursday he remains “concerned about significant cyberattacks from Russia, warning that Moscow could unleash digital assaults on the global energy sector in the coming months.” He said, “I would not encourage anyone to be complacent or be unconcerned about the threats to the energy sector globally. As the [Ukraine] war progresses there’s certainly the opportunities for increasing pressure on Russia at the tactical level.” Joyce pointed out the “enormous amount of activity in cybersecurity this year” feeling as if the U.S. was “one bad compromise away from Colonial Pipeline.”
Cybercriminals’ latest grift: powdered milk and sugar by the truckload
Cybercriminals are increasingly using business email compromise (BEC) against companies in the food and agriculture sector, leading to literal truckloads of products ending up in scammers’ hands. The FBI, Food and Drug Administration and U.S. Department of Agriculture, released a joint advisory warning of these scams. As quoted in The Record, “In one instance, in August, a supplier received a request for a truckload of sugar on credit from a senior employee at an unnamed U.S. company. The recipient of the request noticed the extra letter in the domain name of the address and, after contacting the company, discovered there was nobody there with that name. Others weren’t so fortunate, however. Also in August, a food distributor received an email from a multinational food and beverage company for two truckloads of powdered milk. The request came from the company’s chief financial officer, and the shipment was sent. In fact, the email address had one extra letter in the domain name and the distributor ended up on the hook for more than $160,000.”
Thanks to this week’s episode sponsor, Tines
Facebook ups its RCE bug bounty program
Meta is now offering up to $300,000 to security researchers who report vulnerabilities that allow attackers to remotely execute code on its mobile apps. This is in response to threats facing Facebook and Instagram users from spyware and covert information operations. Meta says it has paid out $2 million in rewards to researchers from more than 45 countries this year. “Out of about 10,000 reports made to the company, Meta offered rewards to more than 750 submissions. The company has paid more than $16 million for more than 8,500 reports since 2011.”
Fire and rescue service in Victoria, Australia confirms cyber attack
The acting Commissioner of Fire Rescue Victoria, (FRV) Gavin Freeman has stated that the outage was first observed between 4am and 5am on Thursday. FRV operates 85 fire and rescue stations across the state, an area roughly similar to the combined area of Tennessee, Alabama, Georgia and South Carolina. The cyberattack is affecting most of FRV’s systems, including network, emails and dispatch. “Importantly, community safety has not been compromised and FRV continues to dispatch crews and appliances through mobile phones, pagers and radios,” reads a statement published on Friday. “Preliminary investigations confirm this has been a cyber-attack by an external third party and that FRV systems are impacted.” Ransomware has not yet been confirmed.
Rezilion releases year-end vulnerabilities recap
Released just this morning, Monday, the recap document lists some of the most prominent vulnerabilities of this past year. These include the privilege escalation vulnerabilities PwnKit, and Dirty Pipe, the zero-day Remote Code Executions Spring4Shell, ProxyNotShell, and SpookySSL, as well as a few others. The report describes these vulnerabilities along with their CVE numbers, features and of course recommendations for remediation and mitigation.
(Rezilion)
Last week in ransomware
Coordinated reports from Microsoft, Mandiant, Sophos, and SentinelOne indicated that multiple threat actors used malware signed using compromised accounts, including the Hive and Cuba ransomware operations. Clop ransomware was found to be using TrueBot malware for access to networks. Azov Ransomware was determined to be a Polymorphic Wiper. Royal Ransomware continued to expand beyond healthcare. Agenda Ransomware Uses Rust to Target More Vital Industries. A LockBit attack hit California’s Department of Finance. The Play ransomware operation claimed an attack on the Belgian city on Antwerp, and BlackCat ransomware attacked EPM, one of the largest energy suppliers in Colombia.