Russia creates its own TLS certificate authority to bypass sanctions
Russia has created its own trusted TLS certificate authority (CA) to solve website access problems that have been piling up after sanctions prevented certificate renewals. The sanctions imposed by western companies and governments are preventing Russian sites from renewing existing TLS certificates, causing browsers to block access to sites with expired certificates. According to the Russian public services portal, Gosuslugi, the Russian state “will replace the foreign security certificate if it is revoked or expires. The Ministry of Digital Development will provide a free domestic analogue within five working days.”
Online sleuths are using face recognition to ID Russian soldiers
In France, the CEO of a law enforcement and military training company called Tactical Systems took a screenshot of a Russian soldier’s face, taken from a video posted on Telegram, and within an hour, using face recognition services available to anyone online, he identified the soldier by name, and found his Instagram account. Experts suggest that these technologies run the risk of misidentifying people, but recognize also that a range of facial recognition technologies are becoming a significant weapon for both sides.
(Wired)
Basic text-color trick can fool phishing filters
Researchers at Avanan said Thursday they’ve found evidence of a phishing campaign that uses a simple trick involving the text color in an email. The bogus emails include text that is covered in white, “blinding it from the end-user and fooling phishing filters,” writes Avanan’s Jeremy Fuchs. In this case, the attackers add nonsense strings of text that obfuscate what otherwise looks like a typical phishing email — and probably would be exiled immediately to the trash by many email providers. The goal, as is common for this kind of campaign, is to get the recipient to log into a fake webpage or call a phone number — “a classic credential harvesting scheme,” Avanan says.
Ukrainian hacker linked to REvil ransomware attacks extradited to United States
Yaroslav Vasinskyi, a Ukrainian national, linked to the Russia-based REvil ransomware group has been extradited to the U.S. to face charges for his role in carrying out the file-encrypting malware attacks against several companies, including Kaseya last July. The 22-year-old had been previously arrested in Poland in October 2021, prompting the U.S. Justice Department (DoJ) to file charges of conspiracy to commit fraud and related activity in connection with computers, damage to protected computers, and conspiracy to commit money laundering. Vasinskyi, who was transported to Dallas on March 3 pursuant to an extradition treaty between the U.S. and Poland, had his charges formally read in the Northern District of Texas. If convicted of all counts, Vasinskyi faces a total prison term of 115 years.
There are many misconceptions about security automation, so Torq is debunking a security automation myth each day this week.
False. You should automate routine, repetitive tasks that are not subject to much conditional variance. But workflows that can’t be reliably managed by automation tools, such as assessing the financial consequences of a breach or determining whether a security incident should trigger an application rollback, should remain the domain of humans. To learn more about the realities of automation, head to torq.io.
Qakbot Botnet sprouts fangs, injects malware into email threads
The Qakbot botnet is getting more dangerous, sinking its fangs into email threads and injecting malicious modules to pump up the core botnet’s powers. On Thursday, Sophos published a deep dive into the botnet, describing how researchers have recently seen it spreading through email thread hijacking – an attack in which malware operators malspam replies to ongoing email threads. In a recent campaign, Qakbot has also been devouring system information, Sophos said. “It spreads through email thread hijacking and collects a wide range of profile information from newly infected machines, including all the configured user accounts and permissions, installed software, running services, and more,” according to the writeup, after which the botnet downloads the malicious modules.
Big Cloud suspends sales in Russia – sort of
Expanding on a story we brought you yesterday, as tech companies like Adobe, Apple and PayPal, as well as consumer giants like Exxon, Visa, McDonald’s and Coca-Cola have ceased doing business in Russia, so too have most cloud vendors, but not all. Yesterday we reported that AWS, which has no data centers in Russia, implemented a policy change over the weekend, preventing customers in Russia and Belarus from signing up for new accounts. TechCrunch reports that Microsoft and IBM have taken action to suspend sales to Russia, while Google states it is “not accepting new Google Cloud customers in Russia at this time.” Cloudflare, which is not a pure cloud infrastructure vendor, but helps provide secure internet access via hundreds of data centers around the world, says it feels it is important to keep the internet running in the country in spite of calls to shut down service there, stating, “Russia needs more Internet access, not less.”
New vulnerability affects thousands of self-managed GitLab instances
Researchers have disclosed details of a new security vulnerability in GitLab, an open-source DevOps software that could potentially allow a remote, unauthenticated attacker to recover user-related information. Tracked as CVE-2021-4191 (CVSS score: 5.3), the medium-severity flaw affects all versions of GitLab Community Edition and Enterprise Edition starting from 13.0 and all versions starting from 14.4 and prior to 14.8. “The vulnerability is the result of a missing authentication check when executing certain GitLab GraphQL API queries,” Rapid7’s Jake Baines said in a report published Thursday. “A remote, unauthenticated attacker can use this vulnerability to collect registered GitLab usernames, names, and email addresses.”
Google rolling out air raid alerts to Android users in Ukraine
The new feature was announced via an update to a March 1 blog post regarding the actions taken by Google following the Russian invasion of Ukraine. Kent Walker, Google’s President of Global Affairs, stated, the airstrike warning system rolling out to Ukrainians’ Android phones “is supplemental to the country’s existing air raid alert systems” and uses air raid alert info provided by the Ukrainian government.(Bleeping Computer)