Since Russia launched a full-scale military invasion into Ukraine on February 23, a series of cyberattacks have been detected targeting Ukrainian businesses, websites and government agencies amid the ongoing conflict. Meanwhile, organizations in the cybersecurity sector have begun taking action to provide help and support to those directly and subsequently impacted by cyber incidents relating to the Ukraine-Russia crisis. Here is a list of the cybersecurity vendors currently known to be offering aid.

Vectra AI: Threat detection and response vendor Vectra AI is offering a slate of free cybersecurity tools and services to organizations who believe they may be targeted by cyberattacks in the Ukraine-Russia conflict. For immediate assistance in the current emergency, Vectra AI is offering several services on a complimentary basis. These include scanning of Microsoft Azure Active Directory (AD), Microsoft 365 and AWS environments for signs of attack, surveillance of network infrastructure both in the cloud and on-premises and supporting the retention of historical metadata to aid incident response investigations based on indicators of compromise for specific attack variants. It is also offering technology from Siriux to immediately discover malicious Microsoft Azure AD activity that could lead to the compromise of Exchange Online mailboxes.
SentinelOne: SentinelOne is offering its singularity XDR platform free of charge for 90 days to Ukrainian companies as its teams look to provide support for those in need by sharing research, recommendations, indicators, and tools to stay on top of the evolving threat landscape.

Avast: Cybersecurity software provider Avast has released a decryptor for HermeticRansom, a new ransomware strain accompanying the data wiper HermeticWiper malware circulating in the Ukraine, which was discovered by ESET on February 23. The tool can be used to decrypt devices infected with HermeticRansom and allows users to recover files.

To read this article in full, please click here

Read More

This blog was written by an independent guest blogger.

Privileged users are the key to the information system. The operation of information systems and the availability of enterprise resources depend on privileged users’ actions. If admins make a mistake or their credentials are leaked to attackers or competitors, it could put your business at serious risk.

When business processes depend not on one information system but on a set of complex solutions, controlled by several administrators with different powers and competencies – it becomes very difficult and costly to control their actions. This is especially true if the proper authentication system is not implemented and administrators use widespread or default passwords.

Of course, if all admins are crystal-clear and competent, then such a situation may still suit the top managers for some time, but if an incident occurs, it will not be easy to identify who is guilty.

If you hire a new administrator who does not understand all the interconnections of the system and destroys something by mistake, they may try to assure that others are to blame. Therefore, all privileged users must be authenticated separately and efficiently. Their actions should be controlled with the greatest possible granularity – down to specific commands, operations, and clicked buttons.

There are many different ways to hack the system. For example, crooks can take advantage of the lack of an update and patch management system exploiting zero-day vulnerabilities or turn to malicious insiders. However, for external attackers, the ability to spoof an administrator account is actually the best method to quickly and stealthy breach an information system. Therefore, the reliability of the authentication mechanism for administrators and other privileged users is the key to the security of the company.

Best practices for authenticating privileged users

First, you need to know the requirements for authenticating privileged users. There are plenty of infosec standards and regulations in this field. Most of them have the following criteria:

One person – one account. This requirement is understandable and straightforward. If there is a shared or role-based account, and the password is known to several people, then it is hard to establish exactly who used it and performed specific actions. It is good if there are videos from office cameras, but, for example, the ability to connect remotely neutralizes this method of identification. One person can physically sit at the computer, and several other users can remotely connect to this account simultaneously. In this regard, the security system must know the person who is using the corresponding login name.
Legal requirements. In some countries, a legally significant authentication procedure is required for privileged users where each recorded action must be signed with an electronic signature. If illegal acts were committed using the company’s computer, then the manager must provide information about who exactly did it. Otherwise, they may be responsible for these actions.
Timely removal. Security standards require control over user access to information. Control is not only granting permission to access resources but also the timely removal of access rights. This is not a trivial task, especially if there are many applications accessible from the external network. Typically, for timely removal of rights, a role model is used. In this case, a directory of users with all their roles and a Single sign-on system (SSO) allow you to remove user rights from all applications at once.
Non-repudiation. Many standards require the ability to conduct an investigation. Non-repudiation is associated with legal matters. All actions of privileged users must be signed with an electronic signature generated using the private key. According to the rules, this can only be done by a specific user who has access to the private key. It is highly desirable that this key is stored on a removable storage medium strongly associated with the user, for example, on a plastic card.
BYOD. In the era of digitalization, companies are forced to keep part of information systems constantly working. This implies that administrators have the ability to fix problems using any device at any time. Therefore, you have to allow remote administration, including the use of personal devices. This saves resources and money. However, when adopting BYOD, the authentication system should be based on standard technologies not tied to a specific device, platform, or program. To simplify BYOD, you need to use standard authentication protocols that are used by the most popular remote administration tools.
Clouds. Not all systems are now located within the perimeter. In the case of corporate use of the cloud, authentication must be linked to corporate verification mechanisms. To do this, cloud service providers offer the use of federated authentication protocols, such as OpenID or SAML, and access cloud services using the same authenticators as when accessing a corporate system.

All of the above requirements should be carefully considered when building a corporate authentication system. Privileged users should be provided with enhanced authentication mechanisms. Although they are somewhat more expensive, security, in this case, is more important than the cost of an additional identifier.

To fully comply with all of these requirements, the best variant is to use an SSO platform, an enterprise IDM with a role-based access rights management model and support for federated authentication protocols, as well as special devices for reliable authentication of privileged users.

What to use instead of a password?

For privileged users, simple passwords cannot be used. It is easy to intercept passwords with the help of a Trojan program, even if you use secure protocols like a VPN. The low cost of this authentication method is offset by the elevated risk of compromise, which is unacceptable for privileged users. Therefore, the standards strongly recommend (and sometimes even imply fines) that at least IT and information security administrators avoid using simple passwords. The alternatives can be as follows:

Graphical passwords. Recently, various graphical authentication methods have begun to be used. Graphical password schemes allow using specially formed pictures to authenticate users based on specific rules. This method is relatively cheap and does not require complex protocols. At the same time, it provides ways to protect against automated interception. However, recording the authentication session and knowing the rules allow an attacker to guess the password. In addition, it is difficult to make this method legally significant.
One-time passwords. The cheapest alternative to a simple password is a One Time Password (OTP). You can get a code in different ways: SMS, using a special device, or a program. The principle of OTP generation can also be different: by number, by time, by crypto algorithm, or be even completely random.
Biometric authentication. As an identifier, you can use biometric parameters of a person, such as fingerprints, retina, hand veins, face, etc. With the current proliferation of photographic lenses built into mobile phones, these technologies can achieve reasonably good results at an affordable cost. Fingerprint scanners are built into some smartphones, and face recognition is available in Windows. These technologies allow you to connect the device and the person who works with it.
Behavior analysis. It is possible to assess whether the specific person is working at the computer by analyzing additional information about his actions. For example, the working style on the keyboard is unique for each person. In addition, it can vary depending on the device they use – the virtual keyboard, tablet keyboard, standard keyboard, etc. However, this method cannot be the main one for authentication. It can be used as an additional factor for the most important operations. When administering information systems, most user actions are routine operations, and therefore user behavior can be checked for “commonness.”
Additional devices. For authentication, you can use additional devices to generate one-time passwords, store secret keys, and even sign documents. In particular, now, a smartphone with a built-in TPM module for storing encryption keys may well act as such a device. In some cases, for mobile devices, you can use external modules for storing identification information, interacting with the device via Bluetooth.

It should be noted that the listed alternatives are not mutually exclusive. They are complementary. It is quite possible to imagine multi-level authentication where a graphical password is used to access a database of face recognition images stored in the protected memory of a device with one-time passwords. At the same time, the system can take into account the characteristic features of the set of commands sent by the administrator (behavior analysis) and timely suppress attacks from the outside. All authentication methods can be used in one system, which makes this procedure highly secure.

Identity management tools for administrators

For administrators, some tools automate authentication management for both regular and privileged users. These tools include:

Password vault. This is usually a local application that encrypts all passwords for all user services. It can be accessed using a local password, and then this application automatically sends passwords to all services to which users connect. This eliminates the need to enter the password by hand and it will be difficult to intercept it using a keylogger or during an unsafe connection. Passwords stored in such an application will also be difficult to guess – they are generated randomly.
SSO. In essence, this is a development of the idea of ​​secure password storage, but in a network version. The storage is located at the entrance to the corporate network, and users, especially privileged ones, having passed the authentication procedure in it, get access to all other corporate resources. At the same time, users do not know passwords from all systems – they are hidden from them. Therefore, the privileged user cannot connect to a specific resource directly and bypass the SSO. In addition, enterprise SSO can also support federated authentication protocols for verifying the identity of users connecting to enterprise cloud services — sometimes referred to as Web SSO. SSO obtains information about which corporate resources should be accessible by users either from the user directory or a separate IDM system.
IDM. It is highly advisable to use IDM solutions in a large information system for managing access rights. For privileged users, special roles are created that describe the minimum permissions they need. To provide access for a specific user to an administered resource, it is enough to bind the corresponding role to it. Moreover, modern IDMs allow you to issue temporary rights, provide access to resources using a schedule, quickly block access to users suspected of compromise, and much more.
PUM – Privileged User Management. Some systems for controlling privileged users include built-in SSO mechanisms. In particular, they allow you to combine the requirements for authentication and requirements for authorization, enable the use of privileged accounts and correlate them with personal accounts. This makes PUM an essential element – privileged users cannot connect directly to the resources of the corporate network and their actions will be fully logged. Modern authentication protocols make it possible to connect PUM to external SSO and IDM systems, thereby integrating privileged users into a common access control system.

For large information systems with many administrators, outsourcers, department heads, and other privileged users, it is best to use all of these tools. Still, in specific cases, you can get by with a minimum of specialized solutions, for example, PUM with built-in SSO.

Managing privileged user passwords with PUM

The privileged user password management system allows you to separate administrators from the systems they control. The fact is that administrators can always create an additional administrative account in the system and use it to perform unauthorized actions. To exclude this possibility, it is necessary to ensure that administrators interact not directly with systems, but with an intermediary who already interacts with the target system and also records all the actions of administrators. Attempts to create additional privileged accounts will be recorded in the PUM and can be used during the investigation of incidents.

It is vital that the authorship of all recorded commands is accurately determined without the possibility of rejection. To do this, it is necessary to entrust PUM with the tasks of reliable authentication. Of course, PUM can be connected to an already deployed SSO system using federated or corporate authentication protocols; however, you need to have the corresponding system deployed to do this. It is always better for privileged users to use stronger authentication methods than for authorizing regular users. Thus, the presence of its own separate authentication system in PUM makes it more reliable and secure.

It is crucial for PUM to guarantee that users do not try to connect to target systems directly, bypassing control. And the authentication system provides just such a guarantee. Administrators simply do not know passwords from administrative accounts in target systems – this information is stored in PUM. As a result, PUM has the opportunity not only to record actions but also to block access for administrators if they try to perform dangerous actions. Thus, for PUM, having an embedded and integrated SSO system is an additional feature, convenience and, ultimately, a competitive advantage.

Conclusion

Today, correct authentication procedures and rules cannot be ignored. For privileged users, this is crucial. Fortunately, there are not many privileged users in most organizations. More complex and expensive authentication methods can be used for them, up to special devices with built-in cryptographic functions, complex authentication protocols, and abnormal behavior recognition. For companies that care about protecting against insider threats, there are all the necessary components to authenticate almost any number of privileged users. At the same time, it would be nice not only to authenticate privileged users but also to record actions. Hence, it is logical to implement not just an SSO system with support for strong authentication for administrators but a full-fledged PUM with integrated SSO.

Read More

Proofpoint warns of new phishing campaign from Belarusian state

Read More

The Russian invasion of Ukraine has a very visible aspect as we see Ukrainians stand and fight the Russian military might. The geopolitical landscape is changing by the hour, as more governments take action to restrict Russia’s ability to wage war. Two aspects of the conflict have percolated to the top. These are the “information war” and the “war on information.” The actions of governments are creating a conundrum, for some, of business or conscience.

Directives and requests will come from the CEO/board. It will be the CIO, CISO and biz ops who will shoulder the implementation.

“Whether tech companies want to be or not, many now have to decide what role they play in a geopolitical conflict—in some cases for the first time. Geopolitics and technology have always been linked so decisions must be based on corporate culture and values. It is not enough to stay neutral, by the way, as neutrality is still a choice and still has implications, and the world is watching,” observes John Stewart, president, Talons Ventures, and cybersecurity career executive.

To read this article in full, please click here

Read More

When Colonial Pipeline was hit by ransomware on May 7, 2021, it paid 75 bitcoins to restore its systems. But the money was not entirely lost. The FBI was able to trace it as it jumped from one digital wallet to another. At one point, on May 27, 63.7 of the bitcoins were transferred to an address and stopped moving. The FBI got the private key to unlock that bitcoin wallet and was able to retrieve the funds.

To read this article in full, please click here

Read More

Attackers claim to have IP which could increase capacity for crypto-mining

Read More

Tech giants also follow Meta in cracking down on Kremlin propaganda

Read More

A Ukrainian security researcher this week leaked several years of internal chat logs and other sensitive data tied to Conti, an aggressive and ruthless Russian cybercrime group that focuses on deploying its ransomware to companies with more than $100 million in annual revenue. The chat logs offer a fascinating glimpse into the challenges of running a sprawling criminal enterprise with more than 100 salaried employees. The records also provide insight into how Conti has dealt with its own internal breaches and attacks from private security firms and foreign governments.

Conti makes international news headlines each week when it publishes to its dark web blog new information stolen from ransomware victims who refuse to pay an extortion demand. In response to Russia’s invasion of Ukraine, Conti published a statement announcing its “full support.”

“If anybody will decide to organize a cyberattack or any war activities against Russia, we are going to use all our possible resources to strike back at the critical infrastructures of an enemy,” the Conti blog post read.

On Sunday, Feb. 27, a new Twitter account “Contileaks” posted links to an archive of chat messages taken from Conti’s private communications infrastructure, dating from January 29, 2021 to the present day. Shouting “Glory for Ukraine,” the Contileaks account has since published additional Conti employee conversations from June 22, 2020 to Nov. 16, 2020.

The Contileaks account did not respond to requests for comment. But Alex Holden, the Ukrainian-born founder of the Milwaukee-based cyber intelligence firm Hold Security, said the person who leaked the information is not a former Conti affiliate — as many on Twitter have assumed. Rather, he said, the leaker is a Ukrainian security researcher who has chosen to stay in his country and fight.

“The person releasing this is a Ukrainian and a patriot,” Holden said. “He’s seeing that Conti is supporting Russia in its invasion of Ukraine, and this is his way to stop them in his mind at least.”

GAP #1

The temporal gaps in these chat records roughly correspond to times when Conti’s IT infrastructure was dismantled and/or infiltrated by security researchers, private companies, law enforcement, and national intelligence agencies. The holes in the chat logs also match up with periods of relative quiescence from the group, as it sought to re-establish its network of infected systems and dismiss its low-level staff as a security precaution.

On Sept. 22, 2020, the U.S. National Security Agency (NSA) began a weeks-long operation in which it seized control over the Trickbot botnet, a malware crime machine that has infected millions of computers and is often used to spread ransomware. Conti is one of several cybercrime groups that has regularly used Trickbot to deploy malware.

Once in control over Trickbot, the NSA’s hackers sent all infected systems a command telling them to disconnect themselves from the Internet servers the Trickbot overlords used to control compromised Microsoft Windows computers. On top of that, the NSA stuffed millions of bogus records about new victims into the Trickbot database.

News of the Trickbot compromise was first published here on Oct. 2, 2020, but the leaked Conti chats show that the group’s core leadership detected something was seriously wrong with their crime machine just a few hours after the initial compromise of Trickbot’s infrastructure on Sept. 22.

“The one who made this garbage did it very well,” wrote “Hof,” the handle chosen by a top Conti leader, commenting on the Trickbot malware implant that was supplied by the NSA and quickly spread to the rest of the botnet. “He knew how the bot works, i.e. he probably saw the source code, or reversed it. Plus, he somehow encrypted the config, i.e. he had an encoder and a private key, plus uploaded it all to the admin panel. It’s just some kind of sabotage.”

“Moreover, the bots have been flooded with such a config that they will simply work idle,” Hof explained to his team on Sept. 23, 2020. Hof noted that the intruder even kneecapped Trickbot’s built-in failsafe recovery mechanism. Trickbot was configured so that if none of the botnet’s control servers were reachable, the bots could still be recaptured and controlled by registering a pre-computed domain name on EmerDNS, a decentralized domain name system based on the Emercoin virtual currency.

“After a while they will download a new config via emercoin, but they will not be able to apply this config, because this saboteur has uploaded the config with the maximum number, and the bot is checking that the new config should be larger than the old one,” Hof wrote. “Sorry, but this is fucked up. I don’t know how to get them back.”

It would take the Conti gang several weeks to rebuild its malware infrastructure, and infect tens of thousands of new Microsoft Windows systems. By late October 2020, Conti’s network of infected systems had grown to include 428 medical facilities throughout the United States. The gang’s leaders saw an opportunity to create widespread panic — if not also chaos — by deploying their ransomware simultaneously to hundreds of American healthcare organizations already struggling amid a worldwide pandemic.

“Fuck the clinics in the USA this week,” wrote Conti manager “Target” on Oct. 26, 2020. “There will be panic. 428 hospitals.”

On October 28, the FBI and the U.S. Department of Homeland Security hastily assembled a conference call with healthcare industry executives warning about an “imminent cybercrime threat to U.S. hospitals and healthcare providers.”

Follow-up reporting confirmed that at least a dozen healthcare organizations were hit with ransomware that week, but the carnage apparently was not much worse than a typical week in the healthcare sector. One information security leader in the healthcare industry told KrebsOnSecurity at the time that it wasn’t uncommon for the industry to see at least one hospital or health care facility hit with ransomware each day.

GAP #2

The more recent gap in the Conti chat logs corresponds to a Jan. 26, 2021 international law enforcement operation to seize control of Emotet, a prolific malware strain and cybercrime-as-a-service platform that was used heavily by Conti. Following the Emotet takedown, the Conti group once again reorganized, with everyone forced to pick new nicknames and passwords.

The logs show Conti made a special effort to help one of its older members — All Witte — a 55-year-old Latvian woman arrested last year on suspicion of working as a programmer for the Trickbot group. The chat records indicate Witte became something of a maternal figure for many of Conti’s younger personnel, and after her arrest Conti’s leadership began scheming a way to pay for her legal defense.

“They gave me a lawyer, they said the best one, plus excellent connections, he knows the investigator, he knows the judge, he is a federal lawyer there, licensed, etc., etc.,” wrote Mango” — a mid-level manager within Conti — to “Stern,” a much higher-up Conti manager and taskmaster who frequently asked various units of the gang for updates on their daily assignments.

Stern agreed that this was the best course of action, but it’s unclear if it was successfully carried out. Also, the entire scheme may not have been as altruistic as it seemed: Mango suggested that paying Witte’s attorney fees might also give the group inside access to information about the government’s ongoing investigation of Trickbot.

“Let’s try to find a way to her lawyer right now and offer him to directly sell the data bypassing her,” Mango suggests to Stern on June 23, 2021.

The FBI has been investigating Trickbot for years, and it is clear that at some point the U.S. government shared information with the Russians about the hackers they suspected were behind Trickbot. It is also clear from reading these logs that the Russians did little with this information until October 2021, when Conti’s top generals began receiving tips from their Russian law enforcement sources that the investigation was being rekindled.

“Our old case was resumed,” wrote the Conti member “Kagas” in a message to Stern on Oct. 6, 2021. “The investigator said why it was resumed: The Americans officially requested information about Russian hackers, not only about us, but in general who was caught around the country. Actually, they are interested in the Trickbot, and some other viruses. Next Tuesday, the investigator called us for a conversation, but for now, it’s like [we’re being called on as] witnesses. That way if the case is suspended, they can’t interrogate us in any way, and, in fact, because of this, they resumed it. We have already contacted our lawyers.”

Incredibly, another Conti member pipes into the discussion and says the group has been assured that the investigation will go nowhere from the Russian side, and that the entire inquiry from local investigators would be closed by mid-November 2021.

It appears Russian investigators were more interested in going after a top Conti competitor — REvil, an equally ruthless Russian ransomware group that likewise mainly targeted large organizations that could pay large ransom demands.

On Jan. 14, 2022, the Russian government announced the arrest of 14 people accused of working for REvil. The Russian Federal Security Service (FSB) said the actions were taken in response to a request from U.S. officials, but many experts believe the crackdown was part of a cynical ploy to assuage (or distract) public concerns over Russian President Vladimir Putin’s bellicose actions in the weeks before his invasion of Ukraine.

The leaked Conti messages show that TrickBot was effectively shut down earlier this month. As Catalin Cimpanu at The Record points out, the messages also contain copious ransom negotiations and payments from companies that had not disclosed a breach or ransomware incident (and indeed had paid Conti to ensure their silence). In addition, there are hundreds of bitcoin addresses in these chats that will no doubt prove useful to law enforcement organizations seeking to track the group’s profits.

This is the first of several stories about the inner workings of Conti, based on the leaked chat records. Part II will be told through the private messages exchanged by Conti employees working in different operational units, and it explores some of the more unique and persistent challenges facing large-scale cybercriminal organizations today.

Read More

Institute wants to know how it can improve critical infrastructure cybersecurity framework

Read More

Disruption of satellite internet service in Ukraine and Europe began on day one of Russian invasion

Read More