Killnet saber-rattling, a busy Patch Tuesday and a new ransomware threat

The Hartsfield-Jackson Atlanta International Airport was targeted by a DDoS attack last week. Chris Rycroft/Flickr

Welcome to Changelog for 10/16/22, published by Synack! It’s me, Blake, compiling this week’s newsletter with help from README senior editor Nathaniel Mott. Interested in covering cybersecurity stories for us? Nate recently compiled a helpful guide to pitching README. Hope to hear from you soon! In the meantime, here’s your top news:

 

The payload

The pro-Russian Killnet hacktivist group would do well to remember what happened to the DarkSide ransomware gang before it.

DarkSide’s cyberattack on Colonial Pipeline in May 2021 temporarily halted nearly half the fuel supplies to the U.S. East Coast, spurring panic buying at gas pumps. The attack elicited a forceful response from U.S. authorities, who are still offering a $10 million reward for information on DarkSide’s leaders.

Killnet’s milquetoast DDoS attacks on public-facing U.S. airport websites and a major bank last week may have lacked teeth compared to DarkSide’s ransomware spree. (It wasn’t even the first time Killnet has targeted U.S. airports, to little impact.)

Even though they weren’t effective, the attacks were still clear attempts to disrupt American critical infrastructure, launched against the high-stakes backdrop of the Russia-Ukraine war. Killnet’s false, grandiose claims of “blocking the entire network infrastructure” of JPMorgan Chase show what the group’s backers wished to accomplish, if they had the technical chops and DDoS firepower.

Someone in the Killnet hierarchy may have realized they were flying a bit too close to the sun with last week’s headline-grabbing attacks. The group declared via its Telegram channel Friday that it would “pause” further activity against high-profile U.S. targets, explaining, “We don’t want to be the reason for new sanctions or any other bullshit towards Russia.”

If Congress or the White House applied new sanctions against Moscow in response to Killnet, the group would probably still find a way to brag about it on Telegram.

The week, compiled

Microsoft surprised many people on Oct. 11 when its Patch Tuesday release, which addressed nearly 100 security flaws across the company’s products, didn’t include any fixes related to a pair of Exchange vulnerabilities that have been actively exploited since at least the end of September. Instead, the company said it would “release updates for CVE-2022–41040 and CVE-2022–41082 when they are ready.”

Meanwhile, a vulnerability identified as CVE-2022–34689 did get a fix. The Microsoft Security Response Center said the “Windows CryptoAPI Spoofing Vulnerability” meant that “an attacker could manipulate an existing public x.509 certificate to spoof their [identity] and perform actions such as authentication or code signing as the targeted certificate.”

That vuln received a lower CVSS score (7.5) than either of the Exchange flaws, both of which received a score of 8.8, and it doesn’t appear to have been exploited before Patch Tuesday. But the severity of a vulnerability doesn’t always determine its priority. Other factors, such as who reported a flaw, also have an impact — and CVE-2022–34689 was disclosed by the NSA and the UK’s National Cyber Security Centre. That’s a pretty big tell that it’s worth taking seriously.

 1_OKKXRcboqDFukYC8RTggmg
An aerial view of NSA headquarters. Trevor Paglen

Here are some of the other things that happened last week:

CyberScoop: The White House announced its plan to create “a label for Internet of Things (IoT) devices so that Americans can easily recognize which devices meet the highest cybersecurity standards to protect against hacking and other cyber vulnerabilities.” CyberScoop reported that the White House is looking to launch these labels some time in spring 2023 after receiving feedback from its outside partners.

BleepingComputer: Fortinet confirmed that a critical vulnerability (CVE-2022–40684) affecting FortiOS, FortiProxy and FortiSwitchManager was being actively exploited. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) responded by adding the flaw to its Known Exploited Vulnerabilities catalog, giving all federal civilian executive branch agencies until Nov. 1 to patch against it.

SecurityWeek: Microsoft wasn’t the only company observing Patch Tuesday on Oct. 11. Adobe released updates for 29 vulnerabilities that SecurityWeek said exposed Windows and macOS users to “arbitrary code execution, arbitrary file system write, security feature bypass and privilege escalation attacks.” Adobe released advisories for its ColdFusion, Acrobat Reader, Commerce and Dimension products.

A message from Synack

There is a better way to pentest that meets compliance requirements, ensures vulnerabilities are remediated and augments existing security teams, allowing them to focus on other risk management projects. Learn how continuous pentesting achieves all that in an Oct. 19 webinar featuring Adam Keown, global CISO of Eastman Chemical Company; David R. Hale of Brownstein Hyatt Farber Schreck LLP; and Synack co-founder and CEO Jay Kaplan. Learn more and register for the 11 a.m. PT webinar here.

Flash memory

Oct. 11 wasn’t just Patch Tuesday. It was also Ada Lovelace Day, which the Finding Ada Network describes as “an international celebration of the achievements of women in science, technology, engineering and maths (STEM)” held on the second Tuesday of October in honor of the world’s first computer programmer.

 1_wYBnb9DPyeqWm6WrWc1ryA
A watercolor portrait of Ada Lovelace, possibly by A E Chalon.

CISA director Jen Easterly celebrated Ada Lovelace Day with a tweet honoring the “Enchantress of Numbers,” as Lovelace came to be known.

“I aspire to be an enchantress at something, or at least look as fashionable while doing higher math,” Easterly said. “In Ada’s spirit, let’s get to 50% women in cybersecurity by 2030!”

Local files

ESET: An advanced persistent threat (APT) tracked by ESET and the Microsoft Threat Intelligence Center (MSTIC) as POLONIUM was caught targeting “more than a dozen organizations in Israel” across “engineering, information technology, law, communications, branding and marketing, media, insurance, and social services” verticals since at least September 2021. POLONIUM remained active this September, too, and ESET’s report detailed some of the custom tools used by the Lebanon-based APT.

CSH: CommonSpirit Health (CSH) confirmed on Oct. 12 that an incident it previously characterized as “an IT security issue” was in fact a ransomware attack. The company — which operates the second-largest nonprofit hospital chain in the U.S. — said that its “facilities are following existing protocols for system outages, which includes taking certain systems offline, such as electronic health records.” It also “engaged leading cybersecurity specialists and notified law enforcement” in response to the attack.

 1_Kse1Fo6BO94eZdEpzPeomw
hnt6581/Flickr

MSTIC: Microsoft published a report on “a novel ransomware campaign targeting organizations in the transportation and related logistics industries in Ukraine and Poland.” The previously unknown Prestige ransomware “shares victimology with recent Russian state-aligned activity, specifically on affected geographies and countries, and overlaps with previous victims” of the HermeticWiper malware deployed in February. Microsoft said it hadn’t linked Prestige to a known threat group at time of publication, however.

SSSCIP: The State Service of Special Communications and Information Protection of Ukraine (SSSCIP) said 49 members of the International Telecommunication Union “supported the Joint Statement that specifically includes the assistance in rebuilding telecommunication infrastructure destroyed by [Russia].” SSSCIP also said Russia has damaged or captured 4,000 base stations; damaged or captured more than 37,000 miles of fiber optic telecommunication lines; and destroyed “18 antenna-mast structures broadcasting TV and radio signals in Ukraine” since invading the country in February.

Off-script

NASA hurled a refrigerator-sized spacecraft millions of miles through space just to smash into an asteroid late last month.

And it was awesome.

NASA reported last Tuesday that its Double Asteroid Redirection Test (DART) succeeded in changing the orbit of Dimorphos, an asteroid about 500 feet across. The goal was to demonstrate how to protect us from a potential future asteroid on a collision course with Earth. (Dimorphos and its larger neighbor Didymos pose no threat, but offered useful test subjects.)

The mission marked the first time humanity has changed the orbit of a celestial body. $325 million well spent, in my book.

 1_OnLtmYZalznuZk4QUfDE7Q
Kablooey! This image from the U.S. National Science Foundation’s NOIRLab’s SOAR telescope in Chile shows a 6,000-mile long plume of debris after NASA’s DART spacecraft made impact with the asteroid Dimorphos.

That’s all for now — see you next Sunday! Send tips, feedback and README pitches to bsobczak@synack.com or nmott@synack.com.