Threat Source newsletter (Aug. 25, 2022) — We're still not talking about Ukraine enough

_By Jon Munshaw. _

Welcome to this week’s edition of the Threat Source newsletter.

Russia’s invasion of Ukraine was once the most talked about story in the world. Six months into the conflict, modern attention spans have moved on to other news stories. But Ukraine Independence Day yesterday should serve as a reminder to everyone that the threats to Ukraine have not gone anywhere.

The country still faces a physical conflict with Russia every day that seemingly has no easy end, and the barrage of cyber attacks is suspected to continue.

As discussed in our livestream yesterday, Talos continues to see evolving cybersecurity threats in the region, including the most recent GoMet backdoor. And as Joe Marshall highlighted in his blog post last week, Ukraine’s agriculture industry — which is vital to the global food supply chain — remains vulnerable to kinetic and virtual attacks. Because there’s been no one major cyber attack against Ukraine since Russia’s invasion began, the larger public perception is that things haven’t been “that bad.” But state-sponsored actors have continually barraged Ukrainian government entities and critical infrastructure with a range of attacks, including the infamous Fancy Bear and Sandworm groups.

Ukraine’s state nuclear power company also said last week that state-sponsored actors launched a three-hour attack on its websites.

A three-hour distributed denial-of-service attack isn’t going to headline the nightly news, but that doesn’t mean they aren’t happening and making it harder for the Ukrainian government and critical infrastructure to operate. There are people who, six months into this, are still having to fend off cyber threats daily, sometimes just to keep the internet on or to make sure that week’s grain shipment goes out on time.

While headlines come and go, it’s important to remember that there are some things always going on in the background that are bigger than newer headlines that distract us to talk about the newest trojan someone found on the Android store.

The one big thing

> > All Apple users should update their devices if they haven’t already. The company released updates for iOS, iPadOS and macOS last week, warning of two vulnerabilities that could have been exploited in the wild. CVE-2022-32894 is an out-of-bounds write issue in the operating systems’ kernel that an adversary could exploit to execute arbitrary code with kernel privileges and take control over the system. CVE-2022-32893 is an out-of-bounds write issue in WebKit that can also lead to arbitrary code execution.

> ### Why do I care?
>
> While Apple did not disclose any details of attacks potential exploiting these issues, it did say it was aware of a report that the issues “may have been actively exploited.” Apple says the vulnerabilities exist in iPhone 6s and later, all models of the iPad Pro, the iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later and iPod touch 7th generation. Any users of these devices should patch as soon as possible.
>
> ### So now what?
>
> Patch, patch and patch again if you’re using any Apple devices.

>
>

Top security headlines from the week

The LockBit ransomware’s website was hit with a large distributed denial-of-service attack after threatening to leak documents belonging to a cybersecurity firm. At one point, the site displayed a warning that the ransomware gang plans to upload the targeted company’s stolen data to peer-to-peer networks. Talos’ own Azim Shukuhi first tweeted that a LockBit member told him the site’s servers were receiving “400 requests a second from over 1,000 servers” in a possible “hack back” attack. DDoS attacks aim to disrupt a site’s operations by flooding it with traffic and messages, forcing it to essentially shut down for a period of time. (The Register, TechCrunch)

Former Twitter Head of Security Peiter “Mudge” Zatko filed a complaint to the U.S. Securities and Exchange Commission alleging that Twitter is not doing enough to crack down on bot and spam accounts. Mudge is known for being involved with the “Cult of the Dead Cow” hacking group, one of the first groups of its kind in history. The testimony to the SEC also stated that too many Twitter employees have access to critical user data and the company was not actually deleting user data when it was asked to. The number of bot accounts on the social media site is central to a failed bid for Elon Musk to buy the company. (CNN, The Verge)

The FBI is warning that threat actors are increasingly hijacking home IP addresses to disguise credential-stuffing attacks. An investigation from the FBI and their Australian counterparts uncovered two sites that contained more than 300,000 unique credentials that were for sale, warning they could be used in attacks against private companies. The actors are setting up proxies to disguise the flood of login attempts, and by using residential IP addresses, they can avoid usual detection techniques. (Cybersecurity Dive, FBI)

Can’t get enough Talos?

• Talos Takes Ep. #109: Why cybercrime is going small-time
• Livestream: Talos update on Ukraine Independence Day
• Threat Roundup for Aug. 12 - 19
• The war in Ukraine has threatened its vital agriculture. Now it could be crippled by a cyberattack
• Cisco: All Intelligence is Not Created Equal

Upcoming events where you can find Talos

Cisco Security Solution Expert Sessions (Oct. 11 & 13)

Virtual

Most prevalent malware files from Talos telemetry over the past week

SHA 256:e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934** ****MD5:**93fefc3e88ffb78abb36365fa5cf857c ** ****Typical Filename:**Wextract
**Claimed Product:**Internet Explorer
**Detection Name:**PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

SHA 256:125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645

**MD5:**2c8ea737a232fd03ab80db672d50a17a

Typical Filename: LwssPlayer.scr

**Claimed Product:**梦想之巅幻灯播放器

**Detection Name:**Auto.125E12.241442.in02

SHA 256:a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91** **

**MD5:**7bdbd180c081fa63ca94f9c22c457376

**Typical Filename:**c0dwjdi6a.dll

**Claimed Product:**N/A

**Detection Name:**Trojan.GenericKD.33515991

SHA 256:e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c** **

**MD5:**a087b2e6ec57b08c0d0750c60f96a74c

**Typical Filename:**AAct.exe

**Claimed Product:**N/A ** **

**Detection Name:**PUA.Win.Tool.Kmsauto::1201

SHA 256:c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0

**MD5:**8c69830a50fb85d8a794fa46643493b2

Typical Filename: AAct.exe** **

**Claimed Product:**N/A

**Detection Name:**PUA.Win.Dropper.Generic::1201