August
Taiwanese government sites disrupted by hackers ahead of Pelosi trip
PUBLISHED: August 2, 2022
Several websites run by the government of Taiwan were disrupted by distributed denial-of-service (DDoS) attacks hours before U.S. House Speaker Nancy Pelosi became the first high-ranking U.S. official in 25 years to visit the country.
Chang Tun-Han, a spokesperson for Taiwanese President Tsai Ing-wen, said at around 5 pm local time on Tuesday, the website of the president’s office was hit with an “overseas DDoS attack” that surged traffic levels to 200 times their normal size. The spokesperson said the websites were restored 20 minutes after the attack started but as of Tuesday afternoon EST, the English website for the president only shows the word “OK” in the top left corner.
In addition to the attacks on the website for the president, experts noted that the websites for the National Defense Ministry, the Foreign Affairs Ministry and the country’s largest airport, Taiwan Taoyuan International were also affected. The websites for the National Defense Ministry and the Foreign Affairs Ministry were accessible on Tuesday afternoon EST but the website for Taiwan Taoyuan International was still unresponsive.
Taiwan’s National Defense Ministry and Foreign Affairs Ministry did not respond to requests for comment.
Zhang Dunhan, another spokesperson for President Tsai Ing-wen, said in a statement that government agencies will “continue to strengthen monitoring to maintain national information and communication security and the stable operation of key infrastructure” as it faced “continuous compound information operations by foreign forces.”
Sources: The Record by Recorded Future
June
Russia warns of a “military clash” if it’s hit by US cyberattacks
PUBLISHED: June 10, 2022
A Russian cybersecurity official warned on Thursday that Western cyberattacks on the country’s critical infrastructure could lead to a “direct military clash.” The remarks, which came from the Russian foreign ministry’s head of international information security and were first reported by Reuters, were delivered a little more than a week after NSA and Cyber Command chief General Paul Nakasone said that U.S. military hackers “conducted a series of operations” to support Ukraine.
The website for Russia’s housing ministry was also hacked over the weekend, redirecting users to a “Glory to Ukraine” banner, though that attack has not been definitively attributed yet. “Rest assured, Russia will not leave aggressive actions unanswered,” the foreign ministry statement said. “All our steps will be measured, targeted, in accordance with our legislation and international law.”
Top U.S. cybersecurity officials have warned about Russian cyberattacks, cautioning that the country could deploy malware like NotPetya that might move through systems indiscriminately. Last week, FBI Director Christopher Wray said the agency is “laser focused” on preventing Russian cyberattacks, which he warned could increase as the country continues to struggle in its war with Ukraine.
Sources: The Record by Recorded Future
FBI director warns that Russia might resort to destructive cyberattacks
PUBLISHED: June 1, 2022
The director of the FBI on Wednesday said the intelligence agency is “laser focused” on thwarting Russian cyber operations, warning that the country has taken steps to launch potential destructive attacks.
In a far-reaching keynote address delivered at Boston College’s Conference on Cyber Security, FBI Director Christopher Wray spoke about immediate threats tied to Russia’s war on Ukraine, saying that the country’s “recklessness with human lives carries over to how they act in cyberspace.”
The threat of wiper malware and other damaging attacks has prompted the FBI to launch operations earlier in the process than they might have in the past — such as when they observe Kremlin-linked hackers scanning organizations, instead of when they attempt to deploy malware or steal information. “Russia has… gained access to thousands of companies, including critical infrastructure,” Wray said. “They could use the same access to do something potentially destructive.”
Although Wray began his speech by sounding the alarm on Russia, he later emphasized cyberthreats from Iran, North Korea, and China — which he said has “a bigger hacking program than all other nations combined.”
“We cannot let up on China or Iran or criminal syndicates while we’re focusing on Russia,” Wray said. “We’re taking on all those threats.”
Sources: The Record by Recorded Future
May
Greenland says health services ‘severely limited’ after cyberattack
PUBLISHED: May 19, 2022
The government of Greenland confirmed reports this week that the island’s hospital system was “severely” impacted by a cyberattack. Government officials did not respond to requests for comment about whether it was a ransomware attack, but in a statement, explained that the healthcare system’s digital network crashed because of the incident.
They were forced to restart all IT systems and servers, meaning hospital workers cannot access any patient medical records. “The health service’s services are therefore severely limited and increased waiting time must be expected and some will experience going in vain at agreed times. Acute inquiries will of course continue to be met and you can contact the health service by phone,” the government said in a statement translated from Danish.
Healthcare organizations have been a prime target for ransomware groups and other malicious hackers in recent years. Hundreds of hospitals across the world have been attacked, with some of the largest incidents involving the healthcare systems of Ireland and New Zealand.
The Conti ransomware group attacked Ireland’s Health Service Executive in May 2021, causing weeks of disruption at the country’s hospitals. Ireland refused to pay the $20 million ransom and now estimates it may end up spending $100 million recovering from the attack. Irish Minister of State Ossian Smyth said it was “possibly the most significant cybercrime attack on the Irish State.”
The group similarly crippled dozens of hospitals in New Zealand and made a point of going after U.S. healthcare and first responder networks, including law enforcement agencies, emergency medical services, 911 dispatch centers, and municipalities within the last year, according to the FBI.
Sources:
The Record by Recorded Future
Ransomware gang threatens to ‘overthrow’ new Costa Rica government, raises demand to $20 million
PUBLISHED: May 16, 2022
The ransomware group behind an attack on several Costa Rican government ministries levied several violent warnings against the country this weekend, raising the ransom demand to $20 million and threatening to “overthrow” the government of new President Rodrigo Chaves. In two messages posted to their leak site on Saturday, the Conti ransomware group – which has already leaked 97% of the 670 GB they stole from their attacks – claimed the U.S. government was “sacrificing” Costa Rica and that the country’s government should pay for the decryption keys to unlock their systems.
Costa Rica’s new government took office last week and immediately declared a state of emergency after refusing to pay the initial $10 million ransom issued by Conti. The country has received assistance from officials in the U.S., Israel and other countries. The U.S. put a $10 million bounty out for anyone connected to Conti after the attack on Costa Rica.
“Why not just buy a key? I do not know if there have been cases of entering an emergency situation in the country due to a cyber attack? In a week we will delete the decryption keys for Costa Rica,” the group threatened. “I appeal to every resident of Costa Rica, go to your government and organize rallies so that they would pay us as soon as possible. If your current government cannot stabilize the situation? Maybe its worth changing it?”
“Just pay before it’s too late, your country was destroyed by 2 people, we are determined to overthrow the government by means of a cyberattack, we have already shown you all the strength and power, you have introduced an emergency,” the group added.
Organizations affected by the attack include:
- The Finance Ministry
- The Ministry of Science, Innovation, Technology, and Telecommunications
- The Labor and Social Security Ministry
- The Social Development and Family Allowances Fund
- The National Meteorological Institute
- The Costa Rican Social Security Fund
- The Interuniversity Headquarters of Alajuela
Sources:
The Record by Recorded Future
April
Conti ransomware attack was aimed at destabilizing government transition, Costa Rican president says
PUBLISHED: April 22, 2022
Several systems operated by the government of Costa Rica were hit with a ransomware attack this week, according to the country’s president Carlos Alvarado Quesada.The Conti ransomware group added systems connected to several government agencies to its list of victims on Tuesday and Wednesday. Government officials confirmed Conti’s involvement.
Quesada said the attack was meant to “threaten the stability of the country in a transition situation.” The country elected a new president – former World Bank official Rodrigo Chaves – on April 4. Quesada released a video addressing the ransomware attack on Thursday, telling the public that the country will not pay the ransom, which some have said is $10 million.
“It is not just an attack on the institutions affected, the government or importers and exporters. It is a criminal cyberattack on the state and the entire country. It cannot be separated from the complex global geopolitical situation in a digitalized world,” he said.
Business leaders told the Associated Press that they were fearful of financial and personal information being stolen, leaked to the press or sent to government officials.
The outgoing president signed a directive on Thursday that made it mandatory for all government bodies to report security incidents to the country’s Computer Security Incident Response Center. The directive also orders all agencies to patch systems, change passwords, disable unnecessary ports and monitor network infrastructure.
Sources:
The Record by Recorded Future
U.S. offers $5 million for info on North Korean cyber operators
PUBLISHED: April 15, 2022
U.S. offers $5 million for info on North Korean cyber operators
The State Department announced Friday that it is offering a reward of up to $5 million for information about North Korean digital operations that help keep the regime afloat and fund its weapons programs. The department’s Rewards for Justice program will issue the money for “information on those who seek to undermine cybersecurity, including financial institutions and cryptocurrency exchanges around the world” for Pyongyang’s benefit.
Foggy Bottom will also pay up for details about anyone who “knowingly engages in significant activities undermining cybersecurity through the use of computer networks or systems against foreign persons, governments, or other entities” on behalf of North Korean leader Kim Jong Un’s government, the department said.
The money offer comes the day after the FBI blamed the North Korean state-backed hacking group Lazarus for a hack of the popular DeFi platform Ronin Network that netted hundreds of millions of dollars worth of Ethereum — a technology platform associated with a kind of cryptocurrency — making it one the biggest cryptocurrency heists ever.
Last July, the Rewards for Justice program offered up the same dollar amount for information to help identify or locate anyone engaged in foreign state-sanctioned malicious cyber activities, including ransomware operations, against U.S. critical infrastructure after the U.S. public and private sectors were hit by various ransomware campaigns.
Sources:
The Record by Recorded Future
March
Potential cybersecurity impacts of Russia’s invasion of Ukraine
Published: March 29th, 2022
The ongoing situation is Ukraine could produce a range of cybersecurity-related risks that organizations and people will need to begin protecting themselves against immediately.
Here are some of the ways in which Russia’s invasion of Ukraine may impact cybersecurity, and what organizations can do to stay safe in a continually evolving crisis.
Increased Stakes – Wiper Malware
In tandem with the physical strikes against Ukraine, a piece of wiper malware first detected by researchers at Symantec and ESET had already begun targeting organizations in Ukraine. Analyzed by SentinelOne, this wiper malware has been given the name HermeticWiper and it differentiates itself from typical malware in one, important way: Those responsible for it aren’t looking for any payment—they just want to do damage.
Current analyses of HermeticWiper reveal that the malware is being delivered in highly-targeted attacks in Ukraine, Latvia, and Lithuania. Its operators seem to leverage vulnerabilities in external-facing servers while utilizing compromised account credentials to gain access and spread the malware further.
These tactics are nothing new, and familiar cybersecurity best practices around privileged access hold true. But here, the stakes have changed. Even in the worst-case-scenario of any ransomware attack, there’s at least a promise (which could admittedly be false) of a decryption key that can be purchased for a price. With a wiper malware, there is no such opportunity.
The Risk of Scams
In 2020, as infections of COVID-19 dramatically increased to the point of officially creating a global pandemic, online scammers pounced, sending bogus emails asking for donations to fake charities and registering thousands of COVID-19-related domains to trick unwitting victims into swiping their money or their account credentials.
With Russia’s invasion of Ukraine, the same strategy will likely happen, as online scammers constantly seek the latest crisis to leverage for an attack.
For any other donation offers that users think might be a scam, trust the same rules that apply to phishing emails—are there any misspellings, grammar mistakes, unknown senders, or unknown charities involved in the request? Check yourself before handing over any money.
The Risk of Focusing Too Heavily on Ukraine
While Ukraine is in crisis, several online threat actors have continued their own assault campaigns.
On February 24, multiple outlets reported that a ransomware gang that the cybersecurity firm Mandiant tracks as “UNC2596” was exploiting vulnerabilities in Microsoft Exchange to deliver its preferred ransomware, colloquially dubbed “Cuba.” On the same day, the US Cybersecurity and Infrastructure Security Agency (CISA) announced that it had spotted “malicious cyber operations by Iranian government-sponsored advanced persistent threat (APT) actors known as MuddyWater.” Those attacks were targeting both government and private-sector organizations in Asia, Africa, Europe, and North America.
An international human crisis is in no way a cause for inaction from online threat actors. Organizations should follow the same guidance they have before in protecting themselves from the most common online threats.
As CISA Director Jen Easterly warned on Twitter:
“Even as we remain laser-focused on Russian malicious cyber activity, we cannot fail to see around the corners.”
Sources:
Malware Bytes Blog, Krebs on Security, Forbes
Sharp increase in Ukraine-related spam
PUBLISHED: March 18, 2022
The world has responded to Russia's invasion of Ukraine with an outpouring of support for the Ukrainian people. That hasn't escaped the notice of scammers, who are all too willing to take advantage of people's desire to help.
Spam and scam attempts will frequently reference global fundraising efforts in support of places and people in crisis and Ukraine is no different. Proofpoint, an enterprise security company, has observed a marked increase in Ukraine-relate spam since March 1st, 2022.
ukrainewelfare[.]com, a good example of this phenomenon, was registered on March 5th and is a fake Non-Governmental Organization soliciting donations and aid. The site utilizes screenshots of news clips, headlines, and photographs from the crisis in Ukraine. It also contains various links to donate cryptocurrency but, notedly, does not provide specifics as to how the money will be used.
"Wherever there is war," said Bogdan Botezatu, who runs threat research at cybersecurity technology company Bitdefender, "there will be jackals trying to piggyback on people's pain."
There's no shortage of legitimate charities raising money online to help refugees. The best way to reach them is to type their URL directly into your browser or get a link from a trusted source. If you are donating money through an organization like the American Red Cross, for example, be sure you’re on the actual Red Cross site and not a cleverly disguised phishing site. It’s easy to copy the look of a website and steal official logos. The real tipoff is the URL. Don’t rely on a link you received from someone or clicked on social media; navigate to the official website yourself.
Sources:
CNET, USA Today, MalwareBytes Blo
Russian State-Sponsored Cyber Actors Access Network Misconfigured with Default MFA Protocols
PUBLISHED: March 15, 2022
CISA and the Federal Bureau of Investigation (FBI) have released a joint Cybersecurity Advisory that details how Russian state-sponsored cyber actors accessed a network with misconfigured default multifactor authentication (MFA) protocols. The actors then exploited a critical Windows Print Spooler vulnerability, “PrintNightmare” (CVE-2021-34527), to run arbitrary code with system privileges. The advisory provides observed tactics, techniques, and procedures, as well as indicators of compromise and mitigations to protect against this threat.
CISA encourages users and administrators to review AA22-074A: Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default Multifactor Authentication Protocols and “PrintNightmare” Vulnerability. For general information on Russian state-sponsored malicious cyber activity, see cisa.gov/Russia. For more information on the threat of Russian state-sponsored malicious cyber actors to U.S. critical infrastructure, as well as additional mitigation recommendations, see AA22-011A: Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure and cisa.gov/shields-up.
Source:
- CISA
February
Iranian Government-Sponsored MuddyWater Actors Conducting Malicious Cyber Operations | CISA
PUBLISHED: February 24, 2022
CISA, the Federal Bureau of Investigation (FBI), U.S. Cyber Command Cyber National Mission Force (CNMF), the United Kingdom’s National Cyber Security Centre (NCSC-UK), and the National Security Agency (NSA) have issued a joint Cybersecurity Advisory (CSA) detailing malicious cyber operations by Iranian government-sponsored advanced persistent threat (APT) actors known as MuddyWater.
MuddyWater is conducting cyber espionage and other malicious cyber operations as part of Iran’s Ministry of Intelligence and Security (MOIS), targeting a range of government and private-sector organizations across sectors—including telecommunications, defense, local government, and oil and natural gas—in Asia, Africa, Europe, and North America.
CISA encourages users and administrators to review the joint CSA: Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks. For additional information on Iranian cyber threats, see CISA’s Iran Cyber Threat Overview and Advisories webpage.
Source:
- CISA
January
Microsoft Warns of Destructive Malware Targeting Ukrainian Organizations
PUBLISHED: January 16, 2022
Microsoft has released a blog post on possible Master Boot Record (MBR) Wiper activity targeting Ukrainian organizations, including Ukrainian government agencies. According to Microsoft, powering down the victim device executes the malware, which overwrites the MBR with a ransom note; however, the ransom note is a ruse because the malware actually destroys the MBR and the targeted files.
CISA recommends network defenders review the Microsoft blog for tactics, techniques, and procedures, as well as indicators of compromise related to this activity. CISA additionally recommends network defenders review recent Cybersecurity Advisories and the CISA Insights, Preparing For and Mitigating Potential Cyber Threats.
Source:
CISA
US releases Cybersecurity Advisory on Russian cyber threats to domestic critical infrastructure
PUBLISHED: January 11, 2022
CISA, the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) have released a joint Cybersecurity Advisory (CSA) that provides an overview of Russian state-sponsored cyber operations, including commonly observed tactics, techniques, and procedures. The CSA also provides detection actions, incident response guidance, and mitigations. CISA, the FBI, and NSA are releasing the joint CSA to help the cybersecurity community reduce the risk presented by Russian state-sponsored cyber threats.
CISA, the FBI, and NSA encourage the cybersecurity community—especially critical infrastructure network defenders—to adopt a heightened state of awareness, conduct proactive threat hunting, and implement the mitigations identified in the joint CSA. CISA recommends network defenders review CISA's Russia Cyber Threat Overview and Advisories page for more information on Russian state-sponsored malicious cyber activity. CISA recommends critical infrastructure leaders review CISA Insights: Preparing For and Mitigating Potential Cyber Threats for steps to proactively strengthen their organization’s operational resiliency against sophisticated threat actors, including nation-states and their proxies.
Source:
- CISA