Latest Cybersecurity News 2022-03-21 Edition

Follow ISA Cybersecurity on LinkedIn for the latest cybersecurity news

Weekly CyberTip: Spotting Deep Fakes

“Deep fakes” have made headline news with the recent circulation of a bogus video purporting to be from Ukrainian President Volodymyr Zelenskyy, calling for his people to surrender in the war with Russia. Deep fakes are images or videos that simulate the speech or activities of an individual, often superimposed onto a third party, intended to trick audiences into thinking the media is real. The sophistication of artificial intelligence and machine learning techniques makes it harder than ever to spot deep fakes, but the SANS Institute has posted a detailed list of tips on how to identify them. Meanwhile, the fake 68-second Zelenskyy video has been taken down from social media sites.

Germany calls for businesses to drop Kaspersky software

On March 15, the federal agency in charge of managing computer and communication security for the German government issued a statement recommending that organizations switch away from Russian-owned Kaspersky security software. On its German-language site, the Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, abbreviated as BSI) highlighted the potential risks of using Russian technology:

“The actions of military and/or intelligence forces in Russia and the threats made by Russia against the EU, NATO, and the Federal Republic of Germany in the course of the current military conflict are associated with a considerable risk of a successful IT attack. A Russian IT manufacturer can carry out offensive operations itself, be forced to attack target systems against its will, or be spied on without its knowledge as a victim of a cyber operation, or be misused as a tool for attacks against its own customers.”

Cyclops Blink malware targeting ASUS routers

According to research from Trend Micro, a variant of the Cyclops Blink malware family is currently targeting over a dozen types of ASUS routers. There have been over 200 reported infections in Canada, United States, and beyond. The malware appears to be indiscriminate, with a wide range of sizes and industries affected so far. ASUS has published a security advisory with updated information about updated firmware for its at-risk equipment.

The researchers warn that there will likely be other types of devices targeted by future variants of the malware (another variant discovered earlier in March was used to target WatchGuard Firebox devices). The advanced malware is modular in nature and designed to be resilient.

While there is no single defense for Cyclops Blink variants, organizations can protect themselves by employing basic security hygiene like the use of strong passwords, using virtual private network (VPNs), and keeping firmware up to date. The U.K.’s NCSC published a general advisory on Cyclops Blink on February 23, and the researchers provided a detailed appendix outlining IOCs for the malware. However, they had a grim recommendation for victims: “If it is suspected that an organization’s devices have been infected with Cyclops Blink, it is best to get a new router. Performing a factory reset might blank out an organization’s configuration, but not the underlying operating system that the attackers have modified.”

Cyclops Blink is believed to be the work of Sandworm (a.k.a. Voodoo Bear, TeleBots, or Iron Viking), a Russian APT responsible for the December 2015 Ukraine power grid cyberattack, interference in the 2017 French presidential election, the cyberattack on the 2018 Winter Olympics opening ceremony and, most notably, the devastating Petya and NotPetya global malware attacks in 2016 and 2017.

malware, data

Fourth “data wiper” malware targeting Ukraine discovered

Security researchers have identified new data wiper malware deployed as part of the cyber war conducted by Russia against Ukraine. The new malware, dubbed CaddyWiper, destroys most user data and partitions from attached drives. The malware only spares domain controllers, apparently so it can remain resident and in control of compromised networks. Dozens of systems, including several in Canada and the United States, have been affected since its discovery on March 14.

CaddyWiper follows HermeticWiper and IsaacWiper (discovered in the last three weeks), and WhisperGate, which was used in cyber attacks against the Ukrainian government before the February 24 Russian invasion. While CaddyWiper has some behavioural similarities to the other malware varieties, it has been programmed in a novel way.

Organizations are encouraged to check their malware detection software to confirm that protections are available and active for this new threat.

software, FBI, CISA, software

CISA and FBI issue joint alert on SATCOM networks

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued a joint alert warning that they “are aware of possible threats to U.S. and international satellite communication (SATCOM) networks”.

The March 17 alert “strongly encourages critical infrastructure organizations and other organizations that are either SATCOM network providers or customers to review and implement the mitigations outlined in [the cybersecurity advisory] to strengthen SATCOM network cybersecurity.”

The alert, coded AA22-076A, is believed to be have stemmed from a cyber attack on European residential broadband services coinciding with Russia’s invasion of Ukraine on February 24. While the initial source of the attack was unclear, further investigation reported by Reuters suggests Russian involvement in the incident.

CISA and the FBI encourage network providers to lower their alarm thresholds and implement additional monitoring to watch for anomalous traffic. Meanwhile, both network providers and their customers are reminded to follow key security hygiene best practices like including the use of strong authentication and MFA; avoiding default passwords; credential auditing; enforcement of “least privilege” principles; trust relationship reviews; logging and audit of third-party activities; use of encryption; and maintaining robust vulnerability management, patching, EDR and IRP practices.

NEWSLETTER

Get exclusively curated cyber insights and news in your inbox

Related Posts

Contact Us Today

SUBSCRIBE

Get monthly proprietary, curated updates on the latest cyber news.