Newsletter

• 🎧 Catch the latest podcast with Egress co-founder and CEO Tony Pepper.  We talk mostly about email security and tech entrepreneurship when things change faster than we can even blink.  Listen here.

• ESET has done a fantastic job documenting the data-wiper attacks hitting Ukraine.  The latest report discusses a second wiper with worm-spreading capabilities and even a ransomware smokescreen.
• Microsoft says it has seen evidence that civilian digital targets are being hit in the Ukraine attacks and says these “raise serious concerns under the Geneva Convention.”
• SentinelLabs follows up with its own report on the wiper and decoy ransomware component.
• Symantec says the disk-wiping attacks preceded the Russian invasion.
• The U.S. government’s cybersecurity agency CISA has released IOCs to help defenders hunt for signs of these destructive payloads.

• Registration is open for SecurityWeek’s Supply Chain Security Summit on Wednesday, March 23, 2022. This virtual summit will examine the current state of supply chain attacks, the weakest links along the way, the biggest supply chain hacks in history, and best practices for managing this massive attack surface.

Meanwhile, Iran and China…

Speaking of apex-level nation-state malware activity, Symantec has found a super-stealthy backdoor linked to a Chinese APT actor first seen in 2012.  The Symantec report on Daxin confirms the Chinese have invested in a command-and-control mechanism similar to Regin.

MIT Technology Review’s Patrick Howell O’Neill looked at the paper and concluded it was China’s work to build a one-of-a-kind cyber espionage behemoth to last.

The skinny: “While Beijing’s hackers were once known for simple smash-and-grab operations, the country is now among the best in the world thanks to a strategy of tightened control, big spending, and an infrastructure for feeding hacking tools to the government that is unlike anything else in the world.”

Separately, the U.S. government spent a part of the week warning that Iranian government sponsored threat actors continue to take aim at global government and commercial networks.

The staggering ransomware wealth transfer.

From vx-underground on Twitter (take with multiple grains of salt):

In April last year, Emsisoft estimated that ransomware accounted for $74,632,036,933 moving from western countries to Russian criminal gangs.

Here’s another spicy Twitter thread on the Conti leaks suggesting links between Russian law enforcement and ransomware criminals.

Remember Log4Shell?

The SANS Internet Storm Center is reporting that attackers have lost interest in exploiting the Apache Log4j vulnerability.

SPONSORED.

• Using Symmetry DataGuard, cloud-security teams tighten IAM policies around data, incident response teams know precisely what data objects are involved in a breach, and governance teams audit every access across every data store. Schedule a demo.

Must-see research projects.

• BrokenPrint documents a pre-auth stack-based overflow vulnerability found and exploited in Netgear  routers and modems.
• Stairwell’s Steve Miller on building a labeled malware corpus for YARA testing.
• Chinese security vendor Pangu Lab has published a 56-page technical report (PDF) showing its work researching Equation Group malware.

• Researchers at Tel Aviv University expose the cryptographic design and implementation of Android’s Hardware-Backed Keystore in Samsung’s Galaxy S8, S9, S10, S20, and S21 flagship devices. The paper provide a detailed description of the cryptographic design and code structure, and severe design flaws.
• Wired’s Lily Hay Newman with a softball piece on Intel’s iSTARE, a team that looks for critical flaws before CPU chips to to production. (Non-paywall archive).
• Kolide’s Jason Meller asks: Is Grammarly a keylogger?

• Crowdstrike Falcon
• Databricks
• Fidelis CloudPassage Halo
• Okta ASA agent
• Palo Alto firewalls