Clicking QR codes, Ukraine DDoS attacks and tracking Snake
Welcome to Changelog for 2/20/22, published by Synack! The past week brought rapid-fire U.S. attribution of Russian cyberattacks, an unusually frank U.S. government hearing on China’s cyber capabilities and previously unreported connections between the infamous Turla hacking group and Moscow’s FSB spy agency. I’m your host, Blake, and I’ll try not to commit any “informational terrorism” as I walk you through the latest cybersecurity news:
The payload
Cryptocurrency company Coinbase gave a jump scare to cybersecurity pros on Superbowl Sunday with a cheeky ad featuring a bouncing QR code in chameleon colors. While many viewers worried if their TV was broken, infosec Twitter collectively flipped out, worried millions of people just clicked a suspect link.
The mysterious ad, reminiscent of old-school bouncing screensavers, drove so much traffic to Coinbase that its app temporarily crashed. Coinbase CMO Kate Rouch said in a blog post Monday that “we hope people found it in turn surprising, confounding and delightful.”
Surprising? Definitely. Delightful? That’s up for debate.
I wasn’t mad at Coinbase and did wonder if the cybersecurity community might be overreacting. Is every QR code off limits simply because there’s a chance something malicious could be lurking behind it?
As Nathaniel Mott reports for README, QR code anxieties seem to be overblown. The blocky image is most often a vehicle for a link, and the risk amounts to… clicking on a link. (Plus, camera apps typically show a preview of the URL.)
Sure, links can be harmful. But would malicious hackers really go through all the hoops and trouble and expense of hacking a multimillion-dollar, carefully regulated Super Bowl spot? (At that point, they’d probably go straight for actual Coinbase accounts.) Or, to use a more quotidian example, is a hacker really going to physically swap out that laminated QR menu at your favorite local restaurant?
Sophisticated hackers don’t even need targets to click anything to compromise their phones nowadays. I’ll admit, I fell for the ad and scanned the Coinbase QR code as soon as it started bouncing around the screen. Nothing happened, and I didn’t turn into a QR worrywart.
The week, compiled
Ukraine shouldered its biggest-ever spate of DDoS attacks last week. The blitz coincided with an “information attack,” as police officials put it, in which spam messages sprang up on Ukrainians’ phones warning that ATMs in the country had broken down. (The banking system was fine.) Bogus bomb threats have become another common occurrence.
Kyiv authorities initially refrained from pinning some of the cyberattacks on Russia, but the White House did so Friday, when Deputy National Security Advisor Anne Neuberger said hackers tied to the GRU were to blame for the DDoS attacks. The speed of the attribution was notable, but the culprit was unsurprising: Who else has well over 100,000 troops lined up on Ukraine’s borders and a history of hacking civilian targets there?
Ukrainian officials said they were able to successfully fend off the DDoS attacks, which appear to have been more rudimentary than the destructive WhisperGate malware discovered in Ukrainian networks last month. But even simple hacks can hide more sinister goals: A series of website defacements in January may have been aimed at stealing Ukrainian car insurance information, according to a report Tuesday. I shudder to think of what Russian military units might do with the addresses and personal data of a large tranche of Ukrainian citizens, as shelling intensifies in eastern Ukraine.
Here’s what else made waves last week:
Reuters: Saudi women’s rights activist Loujain al-Hathloul singlehandedly tipped the scales on surveillance company NSO Group and its powerful “zero-click” spyware after providing security researchers with their first sample of the iPhone hacking tool. A software glitch left a fake image file on her device that contained code traceable to NSO Group — a smoking gun for a sophisticated piece of spyware that would normally delete all traces of itself after stealing files.
The Wall Street Journal: A $500 Walmart gift card helped turn a page for investigators digging into the 2016 hack of the Bitfinex cryptocurrency exchange, which siphoned off a whopping $4.5 billion. The Justice Department announced earlier this month that it had clawed back $3.6 billion of that figure, while arresting New York residents Ilya Lichtenstein and Heather Morgan (of “Razzlekhan” fame) on allegations that they laundered much of the stolen money.
The Washington Post: Facial recognition company Clearview AI is on a mission to build a surveillance system powerful enough to identify “almost everyone in the world,” according to a previously unreported pitch deck to investors. It’s set to have 100 billion facial photos to play with — er, solve “tough physical security problems” with — by the end of the year. What could go wrong?
A Message From Synack:
Synack recently announced it received Moderate “In Process” status from FedRAMP, meaning even more US departments, agencies and contractors can utilize its global network of elite ethical hackers for on-demand, around-the-clock pentesting. Find out more here.
The Register: The Cybersecurity and Infrastructure Security Agency, the FBI and the NSA warned last week that Russian state-sponsored hackers breached cleared defense contractors over the past two years to steal “sensitive, unclassified information.” I’m shocked — shocked! — to find that cyberespionage is going on here.
Flash memory
Eight years ago, U.K.-based multinational defense contractor BAE Systems released a groundbreaking analysis of the “Snake” cyberespionage toolkit, showing that the “committed and well-funded professionals” behind the spying operation had been working on the malware since at least 2005.
At the time, the Snake malware was cropping up most frequently in Ukrainian and Lithuanian targets, though earlier versions of it had appeared in Pentagon networks under the “Agent.btz” moniker.
BAE Systems declined to pin Snake on Russia, but analysts long surmised that Moscow was behind it, given the makeup of the malware and its usual victims. The security company called it “one of the most sophisticated and persistent threats we track.”
“There are some threats which come and go, whilst there are others which are permanent features of the landscape,” the company added.
Fast forward to 2022, and that observation has held true. Two German news outlets collaborated to reveal ties between Russia’s FSB spy agency and users “vlad” and “urik,” individuals thought to have worked on Snake. Though the investigative report released last week declined to name the two developers outright, their malware tools were still in use as of at least 2020, and Snake, AKA Turla, remains active in countries including Afghanistan.
Local Files
AP: The San Francisco 49ers have fallen victim to the BlackByte ransomware-as-a-service group, which recently posted supposed stolen documents from the football team on a dark web site. The team said ticket holders don’t appear to be affected.
The Daily Swig: New Zealand’s latest government security manual calls on agencies to offer ways for members of the public to report software vulnerabilities, though don’t hold your breath for big payouts: The policies must include a “no bug bounty” clause.
Route Fifty: The Center for Technology in Government, an Albany, N.Y.-based research institution, released a cybersecurity primer for local governments, noting that “in 2022, it will be even more important for local leaders to understand cybersecurity and their own cyber profile.”
Off-script
A stunning NASA image made the rounds on Twitter this week. In 2014, the Curiosity rover captured Earth’s fragile glow from above the gentle ridges of a Martian horizon. The moon’s there too if you look closely! Really puts our cybersecurity woes in perspective.
That’s it for this week! Tips, feedback, and Rickrolling QR codes welcome: bsobczak@synack.com. Happy Presidents’ Day!