Ukraine resistance, dark web scams and a new CISO for Colonial Pipeline

Welcome to Changelog for 2/27/22, published by Synack! Russia’s invasion of Ukraine ushered in a bleak new era for Europe. With casualties mounting on both sides and Ukrainian refugees streaming into Poland, the global security ramifications of the conflict are just beginning to unfold. President Biden joined a host of European leaders in announcing sanctions against major Russian financial institutions and oligarchs last week, which could prompt retaliatory cyberattacks on Western targets. The news wasn’t all bad: Beleaguered energy giant Colonial Pipeline got a new CISO to keep ransomware at bay. Here’s what happened:

The payload

 

Ukraine isn’t going quietly.

Russia’s invasion of its western neighbor has been met with fierce resistance — dozens of attacking tanks and several aircraft were destroyed in the first few days of fighting, Ukrainian authorities said. A team of 13 Ukrainians guarding a tiny Black Sea island staged a defiant last stand, according to multiple video and audio sources, telling an encroaching Russian warship to “go fuck yourself” before being killed.

War has returned to Europe, and that’s far more devastating than any cyberattack.

But hacking threats persist, and Ukraine’s government called for volunteers from its vibrant hacker community to defend critical infrastructure and even go on offense against Moscow, as Reuters reported Thursday.

The announcement, rolled out through hacking forums and Telegram channels as a pseudo-official Defense Ministry operation, came as yet more destructive malware, HermeticWiper, cropped up in Ukrainian computers last week, following up on the WhisperGate “wiper” tool that infected dozens of networks in January. HermeticWiper overwrites the Master Boot Record of victim Windows machines, as Nathaniel Mott reports for README.

The barrage of DDoS attacks, phishing attempts and payloads have rightfully taken a backseat to troop movements, tanks and missile strikes. But neither can the constant cybersecurity threats facing Ukraine be ignored. The Conti ransomware group Friday threatened to launch attacks on critical infrastructure, throwing their “full support” behind the Russian government. (They later tried to walk back the statement.) And with the security situation as fragile as it is in many areas of Ukraine, a disruptive cyberattack could tip an already-suffering population into chaos, just as Ukrainian and Russian delegations have agreed to meet for peace talks.

As former White House cybersecurity official Jay Healey told the Washington Post, a Russian cyber offensive could “have far more impact on the battlefield, more coercive power, more lethal and widespread effect than many doubters would expect.”

The week, compiled

A dark web emporium shut down under suspicious circumstances last month, as Kim Crawley reports for README. Monopoly Market was known for its bustling drug trade and its unusually long North American lifespan — the market dated back all the way to summer 2019. (Most such sites fizzle out or are seized by law enforcement in a matter of months, not years.)

 1_8vzljP1bNGpy5MhJSURmFg
Illustration: Si Weon Kim

Crawley notes that Monopoly Market may have folded in an exit scam, in which the site’s administrators ran away with as much escrow money as they could grab while slamming the door on the way out.

Count me unsurprised. The dark web has always struck me as layer upon layer of scam — like an onion, if you will — from the lowliest of stolen credit card number sellers up to the profiteers who prey on casual internet users’ fear of the unknown. (WARNING: Your Social Security number has appeared on the dark web! Pay us!)

The good news is that each darknet market takedown, exit scam or otherwise, puts a dent in the dangerous criminal markets that help make some of the most disruptive cyberattacks (like ransomware) profitable.

You won’t want to miss this: On March 24, README is teaming up with the R Street Institute’s Making Space Initiative to throw a party and networking event to highlight initiatives that break down barriers in the cybersecurity industry. Get your free ticket here to join me and several cybersecurity trailblazers at the Jack Rose Dining Saloon, just a few blocks away from ShmooCon!

Here’s what else played out last week:

Colonial Pipeline: Less than a year after being hit by one of the most disruptive ransomware attacks in U.S. history, fuel pipeline giant Colonial Pipeline has announced it’s hired a new CISO. Adam Tice, a post-breach Equifax alum and former consultant at Mandiant, shared some thoughts on last year’s maelstrom of cyberattacks: “One bad day can cause a ripple effect across the country.” In Colonial’s case, that meant shutting down nearly half the East Coast’s fuel supplies for days, spurring panic buying and gasoline shortages. “What’s important in a post-breach environment is the willingness to invest in technology, talent and infrastructure to come back from an incident even stronger,” Tice said.

Foreign Affairs: “Momentary lapses in vigilance can snowball into a continent-wide catastrophe” all too often in cyberspace, as National Cyber Director Chris Inglis and senior adviser Harry Krejsa warned in an op-ed Monday. They called for a new “cyber social contract” that doubles down on familiar solutions like better government-industry collaboration and more investment in resilience.

The Wall Street Journal: Microsoft security executive Charlie Bell likened today’s cyber landscape to “digital medievalism,” in which attackers and defenders hole up in their own castles. He’s been leading a multibillion-dollar juggling act to secure Microsoft’s customers while centralizing the tech giant’s security operations.

TechCrunch: An IDOR vulnerability affecting a huge array of Android spyware apps may have exposed sensitive data for hundreds of thousands of targeted phone users, according to a monthslong investigation by Zack Whittaker.

A message from Synack 

Does your penetration testing meet compliance requirements? Synack recently announced it received Moderate “In Process” status from FedRAMP, meaning even more US departments, agencies and contractors can utilize its global network of elite ethical hackers for on-demand, around-the-clock pentesting. Find out more here.

Flash memory 

Six years ago, unconventional venture-capital fund “The DAO” — short for “decentralized autonomous organization” — kicked off a crowdsourced fundraising bid on the Ethereum blockchain platform. The wildly successful fundraising effort set the stage for one of the biggest cryptocurrency heists in history, which caused a disruptive split in the Ethereum network in July 2016.

The mechanics of the early ETH crisis involved rogue “childDAOs,” antipatterns and an untimely DoS vulnerability that forced a “hard split” in the entire cryptocurrency network. An unknown attacker was able to siphon off over 3.6 million ETH by exploiting a vulnerability in the way cryptocurrency could be withdrawn from The DAO.

1_Sv51HNhC1sUYf2KbV88DoQ

Last week, cryptocurrency journalist Laura Shin laid out a compelling case in Forbes that 36-year old Austrian programmer Toby Hoenisch was behind the sprawling hack of The DAO. (Hoenisch denied it, but also declined to offer details refuting Shin’s findings.)

The case underscores how the cryptocurrency world’s secretive reputation has irrevocably changed: “One of the first uses of crypto — as an anonymity shield — is in retreat, thanks to both regulatory pressure and the fact that transactions on public blockchains are traceable,” Shin wrote.

Local files

ZDNet: Seattle-based freight and logistics company Expeditors International shut down most of its operating systems worldwide after an unspecified “cyber-attack.” (Ransomware is a likely suspect.)

NY.gov: New York Gov. Kathy Hochul (D) announced the launch of a cybersecurity “nerve center” in Brooklyn, backed by the state’s hefty $61.9 million cybersecurity budget. The new Joint Security Operations Center is aimed at “allowing cyber teams to have a centralized viewpoint of threat data,” according to Hochul’s office.

Off-script 

“A clogged and muddy mess” — Modern Retail’s Cale Guthrie Weissman took readers on a seesaw tour of drip coffee brand Bonavita’s meteoric rise and mysterious disappearance, replete with legal disputes, distribution woes and a rumored relaunch. I followed the saga with unusual interest: I’m in the market for a new coffee machine, which qualifies as critical infrastructure in my two-journalist household.

 1_KRGgoGsuDt5TscrXEmUFPQ
Brew Coffee/Giphy

That’s it for this week — tips, feedback and coffee bean recommendations are all welcome: bsobczak@synack.com.