Tag Archives: cyber attacks

World

Russian missile strikes overshadow cyberattacks as Ukraine reels from blackouts

Leave a comment


Washington
CNN
 — 

Russia has pummeled Ukrainian cities with missile and drone strikes for much of the past month, targeting civilians and large swaths of the country’s critical infrastructure.

By Monday, 40% of Kyiv residents were left without water, and widespread power outages were reported across the country. On Thursday, Ukrainian President Volodymyr Zelensky accused Russia of ‘energy terrorism’ and said that about 4.5 million Ukrainian consumers were temporarily disconnected from the power supply.

The destruction exemplifies how indiscriminate bombing remains the Kremlin’s preferred tactic eight months into its war on Ukraine. Moscow’s vaunted hacking capabilities, meanwhile, continue to play a peripheral, rather than central, role in the Kremlin’s efforts to dismantle Ukrainian critical infrastructure.

“Why burn your cyber capabilities, if you’re able to accomplish the same goals through kinetic attacks?” a senior US official told CNN.

But experts who spoke to CNN suggest there is likely more to the question of why Russia’s cyberattacks haven’t made a more visible impact on the battlefield.

Effectively combining cyber and kinetic operations “requires a high degree of integrated planning and execution,” argued a US military official who focuses on cyber defense. “The Russians can’t even pull that sh*t off between their aviation, artillery and ground assault forces.”

A lack of verifiable information about successful cyberattacks during the war complicates the picture.

A Western official focused on cybersecurity said the Ukrainians are likely not publicly revealing the full extent of the impacts of Russian hacks on their infrastructure and their correlation with Russian missile strikes. That could deprive Russia of insights into the efficacy of their cyber operations, and in turn affect Russia’s war planning, the official said.

To be sure, a flurry of suspected Russian cyberattacks have hit various Ukrainian industries, and some of the hacks have correlated with Russia’s military objectives. But the kind of high-impact hack that takes out power or transportation networks have largely been missing.

Nowhere was that more evident than the recent weeks of Russian drone and missile strikes on Ukraine’s energy infrastructure. That’s a stark contrast to 2015 and 2016 when, following Russia’s illegal annexation of Crimea, it was Russian military hackers, not bombs, that plunged more than a quarter million Ukrainians into darkness.

“All the Ukrainian citizens are now living in these circumstances,” said Victor Zhora, a senior Ukrainian government cybersecurity official, referring to the blackouts and water shortages. “Imagine your ordinary day in the face of constant disruptions of power or water supply, mobile communication or everything combined.”

Cyber operations aimed at industrial plants can take many months to plan, and after the explosion in early October of a bridge linking Crimea to Russia, Putin was “trying to go for a big, showy public response to the attack on the bridge,” the senior US official said.

But officials tell CNN that Ukraine also deserves credit for its improved cyber defenses. In April, Kyiv claimed to thwart a hacking attempt on power substations by the same group of Russian military hackers that caused blackouts in Ukraine in 2015 and 2016.

The war’s human toll has overshadowed those triumphs.

Ukrainian cybersecurity officials have for months had to avoid shelling while also doing their jobs: protecting government networks from Russia’s spy agencies and criminal hackers.

Four officials from one of Ukraine’s main cyber and communications agencies — the State Service of Special Communications and Information Protection (SSSCIP) — were killed October 10 in missile attacks, the agency said in a press release. The four officials did not have cybersecurity responsibilities, but their loss has weighed heavily on cybersecurity officials at the agency during another grim month of war.

Hackers linked with Russian spy and military agencies have for years targeted Ukrainian government agencies and critical infrastructure with an array of hacking tools.

At least six different Kremlin-linked hacking groups conducted nearly 240 cyber operations against Ukrainian targets in the buildup to and weeks after Russia’s February invasion, Microsoft said in April. That includes a hack, which the White House blamed on the Kremlin, that disrupted satellite internet communications in Ukraine on the eve of Russia’s invasion.

“I don’t think Russia would measure the success in cyberspace by a single attack,” the Western official said, rather “by their cumulative effect” of trying to wear the Ukrainians down.

But there are now open questions among some private analysts and US and Ukrainian officials about the extent to which Russian government hackers have already used up, or “burned,” some of their more sensitive access to Ukrainian critical infrastructure in previous attacks. Hackers often lose access to their original way into a computer network once they are discovered.

In 2017, as Russia’s hybrid war in eastern Ukraine continued, Russia’s military intelligence agency unleashed destructive malware known as NotPetya that wiped computer systems at companies across Ukraine before spreading around the world, according to the Justice Department and private investigators. The incident cost the global economy billions of dollars by disrupting shipping giant Maersk and other multinational firms.

That operation involved identifying widely used Ukrainian software, infiltrating it and injecting malicious code to weaponize it, said Matt Olney, director of threat intelligence and interdiction at Talos, Cisco’s threat intelligence unit.

“All of that was just as astonishingly effective as the end product was,” said Olney, who has had a team in Ukraine responding to cyber incidents for years. “And that takes time and it takes opportunities that sometimes you can’t just conjure.”

“I’m pretty certain [the Russians] wish that they had what they burned during NotPetya,” Olney told CNN.

Zhora, the Ukrainian official who is a deputy chairman at SSSCIP, called for Western governments to tighten sanctions on Russia’s access to software tools that could feed its hacking arsenal.

“We should not discard the probability that [Russian government hacking] groups are working right now on some high-complexity attacks that we will observe later on,” Zhora told CNN. “It is highly unlikely that all Russian military hackers and government-controlled groups are on vacation or out of business.”

Tanel Sepp, Estonia’s ambassador-at-large for cyber affairs, told CNN that it’s possible the Russians could turn to a “new wave” of stepped up cyberattacks as their battlefield struggles continue.

“Our main goal is to isolate Russia on the international stage” as much as possible, Sepp said, adding that the former Soviet state has not communicated with Russia on cybersecurity issues in months.

Read original article here

US

Russian-speaking hackers knock multiple US airport websites offline. No impact on operations reported

Leave a comment



CNN
 — 

More than a dozen public-facing airport websites, including those for some of the nation’s largest airports, appeared inaccessible Monday morning, and Russian-speaking hackers claimed responsibility.

No immediate signs of impact to actual air travel were reported, suggesting the issue may be an inconvenience for people seeking travel information.

The 14 websites include the one for Atlanta’s Hartsfield-Jackson International Airport. An employee there told CNN there were no operational impacts.

The Los Angeles International Airport website was offline earlier but appeared to be restored shortly before 9 a.m. Eastern. A spokesman did not immediately return a request for comment.

The hacking group known as Killnet listed multiple US airports as targets. It stepped up activity to target organizations in NATO countries after Russia’s February invasion of Ukraine. The loosely organized “hacktivists” are politically motivated to support the Kremlin but ties to Moscow are unknown.

The group claimed responsibility last week for knocking offline US state governments websites. Killnet is blamed for briefly downing a US Congress website in July and for cyberattacks on organizations in Lithuania after the country blocked shipment of goods to the Russian enclave of Kaliningrad in June.

The type of cyberattack used by Killnet is known as “distributed denial of service” (DDoS), in which hackers flood computer servers with phony web traffic to knock them offline.

“DDoS attacks are favored by actors of varying sophistication because they have visible results, but these incidents are usually superficial and short lived,” John Hultquist, a vice president at Google-owned cybersecurity firm Mandiant, told CNN.

A Transportation Security Administration spokesperson said the agency is monitoring the issue and working with airport partners.

Read original article here

Technology

Microsoft Releases Fix for Zero-Day Flaw in July 2022 Security Patch Rollout

Leave a comment

Microsoft released its monthly round of Patch Tuesday updates to address 84 new security flaws spanning multiple product categories, counting a zero-day vulnerability that’s under active attack in the wild.

Of the 84 shortcomings, four are rated Critical, and 80 are rated Important in severity. Also separately resolved by the tech giant are two other bugs in the Chromium-based Edge browser, one of which plugs another zero-day flaw that Google disclosed as being actively exploited in real-world attacks.

Top of the list of this month’s updates is CVE-2022-22047 (CVSS score: 7.8), a case of privilege escalation in the Windows Client Server Runtime Subsystem (CSRSS) that could be abused by an attacker to gain SYSTEM permissions.

“With this level of access, the attackers are able to disable local services such as Endpoint Detection and Security tools,” Kev Breen, director of cyber threat research at Immersive Labs, told The Hacker News. “With SYSTEM access they can also deploy tools like Mimikatz which can be used to recover even more admin and domain level accounts, spreading the threat quickly.”

Very little is known about the nature and scale of the attacks other than an “Exploitation Detected” assessment from Microsoft. The company’s Threat Intelligence Center (MSTIC) and Security Response Center (MSRC) have been credited with reporting the flaw.

Besides CVE-2022-22047, two more elevation of privilege flaws have been fixed in the same component — CVE-2022-22026 (CVSS score: 8.8) and CVE-2022-22049 (CVSS score: 7.8) — that were reported by Google Project Zero researcher Sergei Glazunov.

“A locally authenticated attacker could send specially crafted data to the local CSRSS service to elevate their privileges from AppContainer to SYSTEM,” Microsoft said in an advisory for CVE-2022-22026.

“Because the AppContainer environment is considered a defensible security boundary, any process that is able to bypass the boundary is considered a change in Scope. The attacker could then execute code or access resources at a higher integrity level than that of the AppContainer execution environment.”

Also remediated by Microsoft include a number of remote code execution bugs in Windows Network File System (CVE-2022-22029 and CVE-2022-22039), Windows Graphics (CVE-2022-30221), Remote Procedure Call Runtime (CVE-2022-22038), and Windows Shell (CVE-2022-30222).

The update further stands out for patching as many as 32 issues in the Azure Site Recovery business continuity service. Two of these flaws are related to remote code execution and the remaining 30 concern privilege escalation.

“Successful exploitation […] requires an attacker to compromise admin credentials to one of the VMs associated with the configuration server,” the company said, adding the flaws do not “allow disclosure of any confidential information, but could allow an attacker to modify data that could result in the service being unavailable.”

On top of that, Microsoft’s July update also contains fixes for four privilege escalation vulnerabilities in the Windows Print Spooler module (CVE-2022-22022, CVE-2022-22041, CVE-2022-30206, and CVE-2022-30226) after a brief respite in June 2022, underscoring what appears to be a never-ending stream of flaws plaguing the technology.

Rounding off the Patch Tuesday updates are two notable fixes for tampering vulnerabilities in the Windows Server Service (CVE-2022-30216) and Microsoft Defender for Endpoint (CVE-2022-33637) and three denial-of-service (DoS) flaws in Internet Information Services (CVE-2022-22025 and CVE-2022-22040) and Security Account Manager (CVE-2022-30208).

Software Patches from Other Vendors

In addition to Microsoft, security updates have also been released by other vendors since the start of the month to rectify several vulnerabilities, including —

'+n+'...
'+a+"...
"}s+="",document.getElementById("result").innerHTML=s}}),t=!0)})}); //]]>

Read original article here