AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets 06/07/2022

100 days of war in Ukraine: How the conflict is playing out in cyberspace

On January 14th this year, a raid by Russian law enforcement authorities made headlines all over the world, as it resulted in the arrests of 14 members of the infamous Sodinokibi/REvil ransomware gang. The crackdown came after a series of talks between U.S. and Russian officials, including June’s Geneva meeting between Presidents Biden and Putin. The Russian intelligence agency, FSB, confirmed that “the individual responsible for the attack on Colonial Pipeline last spring” was arrested as part of the raid. At the time, when a Russian invasion of Ukraine was a real possibility, some saw this development as a “huge result that few would expect.” Others even called it “Russian ransomware diplomacy”, a kind of message to the U.S. about how far Russia was willing to go in exchange for lighter sanctions over a future invasion of Ukraine.


Costa Rican government held up by ransomware … again

Last month the notorious Russian ransomware gang Conti threatened to overthrow Costa Rica’s government if a ransom wasn’t paid. This month, another band of extortionists has attacked the nation. Fresh off an intrusion by Conti last month, Costa Rica has been attacked by the Hive ransomware gang. According to the AP, Hive hit Costa Rica’s Social Security system, and also struck the country’s public health agency, which had to shut down its computers on Tuesday to prevent the spread of a malware outbreak. The Costa Rican government said at least 30 of the agency’s servers were infected, and its attempt at shutting down systems to limit damage appears to have been unsuccessful. Hive is now asking for $5 million in Bitcoin to unlock infected systems.


Closing the Door: DeadBolt Ransomware Locks Out Vendors With Multitiered Extortion Scheme

The DeadBolt ransomware kicked off 2022 with a slew of attacks that targeted internet-facing Network-Attached Storage (NAS) devices. It was first seen targeting QNAP Systems, Inc. in January 2022. According to a report from attack surface solutions provider Censys.io, as of Jan. 26, 2022, out of 130,000 QNAP NAS devices that were potential targets, 4,988 services showed signs of a DeadBolt infection. A few weeks later, ASUSTOR, another NAS devices and video surveillance solutions vendor, also experienced DeadBolt ransomware attacks that targeted an unknown number of its devices. In March, DeadBolt attackers once again targeted QNAP devices; according to Censys.io, the number of infections reached 1,146 by March 19, 2022. Most recently, on May 19,2022, QNAP released a product security update stating that internet-connected QNAP devices were once again been targeted by DeadBolt, this time aiming at NAS devices using QTS 4.3.6 and QTS 4.4.1.


Apple demos Safari’s ‘passkeys’ support in macOS Ventura that will help bring an end to passwords

At its WWDC 2022 event, Apple just demonstrated how Safari in macOS Ventura will support “passkeys,” a sign-in standard that’s built with cross-platform support to enable logins that don’t use passwords at all. Apple isn’t alone in this effort either, as last month Google and Microsoft joined with Apple to announce their new step forward for a long-in-development plot to kill passwords once and for all. By avoiding the use of passwords entirely, they should prevent users from falling victim to phishing attacks, social engineering, or bot attacks that plug in passwords snagged from databases of leaked passwords. Instead, you can use a device (like your phone or computer) as your primary authentication device, so using Face ID or Touch ID or entering the device PIN will be enough for you to log in on various services across the web.


DOJ: Congress looked into CFAA updates but effort was stalled by extortion concerns

Congress looked into amending the 1986 Computer Fraud and Abuse Act (CFAA) to address concerns from cybersecurity researchers before the Justice Department announced last month that it would revise how it enforces the law, a top DOJ official said Monday. Leonard Bailey, head of the cybersecurity unit at the DOJ, was speaking about the changes to how CFAA will be enforced on good-faith security researchers at the RSA cybersecurity conference when he was asked about further concerns some researchers still have. An attendee questioned whether the new DOJ charging guidelines – handed down on May 19 – could be rescinded or changed by another administration. Bailey said the Justice Department was approached by Congress for potential language that could be added to CFAA that would carve out exceptions for security researchers, but they opted instead for revisions to the DOJ’s charging policies.


Mandiant: “No evidence” we were hacked by LockBit ransomware

American cybersecurity firm Mandiant is investigating LockBit ransomware gang’s claims that they hacked the company’s network and stole data. The ransomware group published a new page on its data leak website earlier today, saying that the 356,841 files they allegedly stole from Mandiant will be leaked online. “All available data will be published!” the gang’s dark web leak site threatens under a timer showing just under three hours left until the countdown ends. Update: After LockBit published the files, it looks like this wasn’t about files stolen from Mandiant’s network but, instead, about the ransomware group trying to distance itself from the Evil Corp cybercrime gang. This was likely prompted by LockBit fearing the lost revenue because their victims will stop paying ransoms as Evil Corp is sanctioned by the U.S. government.

Related Posts