AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets 03/09/2022

  1. Rompetrol gas station network hit by Hive ransomware

Romania’s Rompetrol gas station network has been hit by a ransomware attack. A subsidiary of KMG International, Rompetrol announced today that it is dealing with a “complex cyberattack” that forced it to shut down its websites and the Fill&Go service at gas stations. Today, Romania’s petroleum provider Rompetrol has announced that it is battling a “complex cyberattack.” BleepingComputer has learned that Hive ransomware gang is behind this attack, and they’re asking for a multi-million ransom. Rompetrol is the operator of Romania’s largest oil refinery, Petromidia Navodari, which has a processing capacity of over five million tons per year.

 

  1. Malware now using NVIDIA’s stolen code signing certificates

Threat actors are using stolen NVIDIA code signing certificates to sign malware to appear trustworthy and allow malicious drivers to be loaded in Windows. This week, NVIDIA confirmed that they suffered a cyberattack that allowed threat actors to steal employee credentials and proprietary data. The extortion group, known as Lapsus$, states that they stole 1TB of data during the attack and began leaking the data online after NVIDIA refused to negotiate with them. The leak includes two stolen code-signing certificates used by NVIDIA developers to sign their drivers and executables.

 

  1. Supply chain vulnerabilities hit medical and IoT devices

Researchers at Forescout’s Vedere Labs have discovered a set of vulnerabilities targeting the PTC Axeda agent which is commonly used in medical and IoT devices. The Axeda agent enables device manufacturers to remotely access and manage connected devices, making these vulnerabilities reminiscent of the Kaseya hack and the SolarWinds Orion compromise.More than 150 device models from over 100 manufacturers are potentially affected by these vulnerabilities. Devices utilizing the impacted Axeda agents include surgical, ventilation and radiotherapy equipment along with several medical imaging and laboratory devices. There is a set of seven vulnerabilities in all which Forescout is calling ‘Access:7’ and three of these are rated critical. Protection requires patching devices running the vulnerable versions of the Axeda components. PTC has released its official patches, and device manufacturers using this software should provide their own updates to customers.

 

  1. Ransomware gang Conti has already bounced back from damage caused by chat leaks, experts say

A Twitter account known as ContiLeaks debuted to much fanfare in late February, with people around the globe watching as tens of thousands of leaked chats between members of the Russia-based ransomware gang Conti hit the web. In the days after the leaks, many celebrated what they thought would be a devastating blow to Conti, which a Ukrainian security researcher had apparently punished by leaking the internal chats because the gang threatened to “strike back” at any entities that organized “any war activities against Russia.” But ten days after the leaks began, Conti appears to be thriving. Experts say the notorious ransomware gang has pivoted all too easily, replacing much of the infrastructure that was exposed in the leaks while moving quickly to hit new targets with ransom demands. According to Vitali Kremez, CEO of the cybersecurity firm AdvIntel, by Monday morning Conti had successfully completed two new data breaches at U.S.-based companies.

 

  1. Cow-counting app abused by China ‘to spy on US states’

Beijing’s spies compromised government computer networks in six US states by exploiting, among other flaws, a vulnerability in a cattle-counting system, according to Mandiant. Meanwhile, Proofpoint reckons a China-aligned miscreant is targeting European governments. Both firms warned this week that Middle-Kingdom-backed snoops are stepping up their operations against Western targets. Mandiant said APT41 aka Double Dragon, one of China’s more aggressive intrusion crews, exploited a zero-day vulnerability in a web app called USAHerds, used by agriculture officials to track the health and density of the nation’s livestock, to break into US state government systems. Once inside, APT41 deployed custom in-memory Windows malware that was periodically restarted as a scheduled task to ensure persistence.

 

  1. Mandiant Reports 6 U.S. States Hacked by China-Backed Actors

Chinese government-sponsored attackers have managed to hack at least six states, according to a March 8 blog post from cybersecurity firm Mandiant. The company did not reveal which states were affected but said U.S. state governments appear to have been deliberately targeted rather than simply falling victim to an indiscriminate mass attack. Some of the attacks were made after hackers discovered encryption keys to USAHERDS, a software application used by 18 state governments. Once known, these same keys could work against every server running USAHERDS, Mandiant said, meaning that more than just these six states could have been impacted. According to WIRED, Mandiant says the software’s developer, Acclaim Systems, has since patched the vulnerability.

 

  1. Intel chiefs, lawmakers wait for other shoe to drop on Russian cyberattacks against Ukraine

U.S. intelligence leaders and House lawmakers on Tuesday signaled they remain on edge that Russia could unleash a digital salvo on the country, and its allies, as Moscow’s invasion of Ukraine escalates. The various remarks — made during the public segment of the House Intelligence Committee’s annual worldwide threats hearing — are the latest acknowledgment that, while Russia has engaged in some malicious activities against Ukraine, the Kremlin has yet to fully deploy its legions of hackers and that what until now have been minor skirmishes could grown into full-scale, online conflict with ramifications for the rest the world. “Offensive cyber operations present a significant risk to our homeland,” Intelligence Committee Chair Adam Schiff (D-Calif.) said in his opening statement. “As the crisis in Ukraine continues, we must be extremely watchful.” The Biden administration last month attributed denial of service attacks on Ukrainian military and bank websites to Russia’s ​​military intelligence agency, prompting officials to warn systems administrators in the public and private sectors to watch for suspicious activity that could disrupt their operations.

Related Posts