Changelog: Russian hackers pick up new tricks
Rajat Kashyap / Unsplash
Welcome to Changelog for 1/18/2024, published by Synack! README senior editor Nathaniel Mott here with the week's top security news
The payload
Google’s Threat Analysis Group today revealed that a threat actor it tracks as COLDRIVER is “going beyond phishing for credentials, to delivering malware via campaigns using PDFs as lure documents,” as part of its ongoing “efforts to conduct espionage aligned with the interests of the Russian government.”
Microsoft said on Jan. 7 that COLDRIVER—which it tracks as Star Blizzard—”continues to prolifically target individuals and organizations involved in international affairs, defense, and logistics support to Ukraine, as well as academia, information security companies, and other entities aligning with Russian state interests.” That report focused on the group’s evolving tactics, techniques and procedures but didn’t include additional information about the malware it’s recently started to send to some of its targets.
TAG said the malware is a backdoor called SPICA that can be used to steal cookies from web browsers, poke around the host’s filesystem and execute arbitrary shell commands, among other things. Google’s researchers said they “believe that COLDRIVER’s use of the backdoor goes back to at least November 2022,” but the earliest observed usage of the malware was in September 2023. (They also said that COLDRIVER is probably using multiple versions of SPICA depending on their initial lure.)
The report is a helpful reminder that even Russia, which is best known for continually disrupting Ukraine’s power grid and unleashing the NotPetya ransomware on the world, has its hackers sending dummy PDFs to unwitting targets in service of its espionage campaigns. This is probably true for practically every government on the planet—it just doesn’t attract as many headlines because A) it’s not as exciting as more disruptive cyber operations and B) we’ve all pretty much accepted that spies are gonna spy.
TAG’s report includes some indicators of compromise for the version of SPICA that Google’s researchers managed to get their hands on. Microsoft’s report also includes some indicators of compromise associated with the group as well as some additional resources for defenders looking to stay out of the water.
The week, compiled
Have I Been Pwned? might need to change its name to You’ve Probably Been Pwned. The site, which allows people to find out if their credentials have appeared in leaked datasets, has been updated to include a massive collection of compromised account information known as Naz.API.
“This isn't just the usual collection of repurposed lists wrapped up with a brand-new bow on it and passed off as the next big thing; it's a significant volume of new data” HIBP founder Troy Hunt said in a blog post. “When you look at the above forum post the data accompanied, the reason why becomes clear: it's from ‘stealer logs’ or in other words, malware that has grabbed credentials from compromised machines.” (The “above forum post” is a screenshot from a “popular hacking forum” that was used to distribute the data.)
Hunt said the Naz.API leak included “319 files totalling 104GB” with “70,840,771 unique email addresses.” He examined some of the logs contained in the leak and found that they included usernames, passwords and the URL for the service associated with each account. There are some duplicate entries, Hunt said, but the sheer number of unique email addresses suggests a whole lot of people need to determine if they’ve been infected by infostealer malware before they start changing the passwords for these accounts.
krakenimages / Unsplash
Not that many of those passwords would have been hard to obtain (or guess) without the Naz.API leak. Hunt said there is “a massive prevalence of people using the same password across multiple [different] services and completely different people using the same password.” Some of the leaked passwords—like “jasonjason”—also indicate that people are continuing to use easy-to-guess and even easier-to-crack passwords rather than using password managers to generate more secure credentials.
And now for some of the week’s most interesting security news:
BleepingComputer: Google has fixed the first actively exploited zero-day in its Chrome browser of 2024! BleepingComputer said the vuln “is due to a high-severity out-of-bounds memory access weakness in the Chrome V8 JavaScript engine, which attackers can exploit to gain access to data beyond the memory buffer, providing them access to sensitive information or triggering a crash.” Update your browser now.
Ars Technica: Quarkslab ruined many-a data center sysadmin’s day on Jan. 16 with the revelation that, as Ars Technica put it, “UEFI firmware from five of the leading suppliers contains vulnerabilities that allow attackers with a toehold in a user's network to infect connected devices with malware that runs at the firmware level.” (For more on why firmware-level infections are so concerning, check out this report.)
TechCrunch: Remember those Ivanti vulnerabilities I covered last week? Well, Volexity said on Jan. 15 that “more than 1,700 Ivanti Connect Secure appliances worldwide have been exploited so far, affecting organizations in the aerospace, banking, defense, government and telecommunications industries,” which means the vulns have been incorporated into various threat actors’ mass exploitation attempts.
A message from Synack
How companies approach security testing is in need of a makeover. Traditional pentesting satisfied compliance requirements, but that doesn’t stop critical vulnerabilities from affecting the business. With a strategic testing approach, companies can discover the vulnerabilities that matter most, manage remediation more quickly and see security posture improvement in real time with essential analytics. Learn how to start your journey to strategic testing.
Flash memory
Bill Gates sent an email to every Microsoft employee on Jan. 17, 2002 with a two-word subject line: “Trustworthy Computing.” (Wired published a copy of the email; you can read it in its entirety there.)
“Every week there are reports of newly discovered security problems in all kinds of software, from individual applications and services to Windows, Linux, Unix and other platforms. We have done a great job of having teams work around the clock to deliver security fixes for any problems that arise. Our responsiveness has been unmatched -- but as an industry leader we can and must do better,” Gates wrote. “Our new design approaches need to dramatically reduce the number of such issues that come up in the software that Microsoft, its partners and its customers create. We need to make it automatic for customers to get the benefits of these fixes. Eventually, our software should be so fundamentally secure that customers never even worry about it.”
Yet now—22 years after that email was sent—a great many people still have to worry about the security of Microsoft’s products. Windows is regularly updated to patch against the latest vulnerabilities, nobody but Microsoft can be trusted to operate Exchange servers and threat actors seem to love exploiting flaws in Microsoft Office almost as much as they like to use GitHub’s infrastructure in their malware.
Don’t get me wrong: I know those problems can be at least partly attributed to the fact that Microsoft’s products are so popular. Hackers target Windows, Exchange and Office because those are the technologies most people use. Microsoft could do better, obviously, but the reality is that nobody could make Gates’ vision of “trustworthy computing” a reality. They’re computers; don’t trust them!
Local files
The Record: The FBI and the Cybersecurity and Infrastructure Security Agency said on Jan. 17 that Chinese drones “pose a ‘significant risk’ to U.S. critical infrastructure,” The Record reported, because they could be “a potential direct channel to Beijing of sensitive information on U.S. vulnerabilities.” (Not that many drone buyers seem likely to opt for units made outside China without a government mandate.)
Reuters: Veon, the parent company of the Kyivstar telecommunications firm that Russia hacked in mid-December to disrupt Ukraine’s infrastructure, today said it expects the incident to “cost it around 3.6 billion hryvnias (around $95 million) in revenue for the 2024 fiscal year” due to “measures the company took to compensate customers for the inconvenience caused by the disruptions.”
CyberScoop: Experts told Congress on Jan. 17 that the Cyber Safety Review Board established by the Department of Homeland Security in 2021 “continues to lack the authorities and independence from the private sector that it needs in order to effectively investigate major cybersecurity incidents,” which is a problem, because effectively investigating major cybersecurity incidents is the group’s raison d'être.
Off-script
Framework launched in 2020 with a somewhat grandiose mission: fixing consumer electronics. That mission led to the development of a laptop that people can repair themselves—which also means they can upgrade certain aspects of the device rather than buy a replacement simply because they want a mightier processor, additional storage or enough memory to have more than a few tabs open in their web browser.
Dan Cristian Pădureț / Unsplash
I also think we should be able to own—truly own, not merely rent, or lease—our devices. That’s what the right to repair movement’s all about. We bought these products, and their manufacturers shouldn’t be able to dictate what we do with them, or decide the only way to fix them when they break is to go to an officially sanctioned repair service that many people can’t afford. (Assuming they can be fixed at all.)
I ordered a Framework Laptop on Jan. 15; it arrived today. I haven’t assembled it yet, but it’s already delivered on at least some of its promise: the ability to use my own parts means I didn’t have to buy a power supply or storage, and because I want to assemble it myself, I saved a few hundred bucks over the pre-built model. Could the resulting build be terrible? Maybe! But at least I’ll get to find out first-hand.