Welcome to this week’s edition of the Threat Source newsletter — complete with a new format and feel.
First off, it goes without saying, but we’re all heartbroken by the crisis happening in Ukraine. Our hearts are with the people of Ukraine, our employees and their families, as well as everyone affected.
There’s been a lot of talk around disinformation and fake news in the wake of the conflict in Ukraine. As we’ve written about many times before, this can take many forms — fake news articles, deepfake videos, misleading social media posts, etc. But another form of disinformation I’ve seen over the past few weeks is social media sharing from the average person.
This isn’t some giant troll farm somewhere backed by millions of dollars — it’s regular users just sharing what they think is interesting without checking the origins of the post. There are a host of examples from Twitter and Instagram this week, including viral photos of alleged Ukrainian “Army Cats” who are trained to spot sniper lasers, a piece of art that people thought was the latest “Time” magazine cover and miscaptioned videos claiming to show Ukrainian and Russian soldiers dancing together.
The lesson here is that disinformation campaigns do not necessarily have to be some massive, coordinated effort. You or your friends could be helping to spread disinformation by blindly clicking the retweet button on a viral trend without checking for sources or facts beforehand. Some of these false or misleading posts are relatively harmless. But this is about addressing a larger problem of a history of disinformation campaigns and declining media literacy in our society.
Wartime propaganda has always been around in our world. Everything from the “I Want YOU” Uncle Sam poster to Rosie the Riveter are examples of the types of images that spread rapidly during previous wars. And while an Army Cat may not become as large of a cultural icon as Rosie, it’s always worth double-checking the source of anything you’re about to share, because you never know when it could be part of a larger state-sponsored information campaign.
This is just as good of a time to remind people to triple-check anything before you choose to share it. Look to see if you can find the origins of the information, see how else has shared it and if you can find a third party to verify the information you’re about to share. Even if you think that sharing it will help spread awareness or positive news around the current situation, it could be doing harm in the long run and feeding into the exact types of disinformation we’ve been warned about for years.
The one big thing
Talos is continuously monitoring the Ukraine-Russia situation by enacting a comprehensive, team effort to provide support to our partners and customers. These actions include regularly issuing new protections for cyber threats based on research findings and malware analysis, enacting an internal crisis management system to formalize components of our investigation, and sharing information with domestic and international intelligence partners.
Over the past two weeks, we’ve consistently updated our blog as we receive new information on this situation and cyber attacks that could affect the region and the globe. Matt Olney, the leader of our Threat Intelligence and Interdiction team, has a great post detailing the risks that come with everything being so in flux right now — the landscape is ripe for misattribution and FUD. We also have the technical details of the Cyclops Blink malware targeting small and home office routers, and a series of wiper campaigns targeting Ukraine (and likely to spill over to other countries).
Why do I care?
There are many reasons to care about the current situation in Ukraine that I couldn’t even begin to list here. But from a cybersecurity perspective, this is the closest we’ve ever been to a cyberwar. Security teams need to rely on their fundamentals while preparing for the worst-case scenario.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the FBI have already warned that large-scale cyber attacks could be coming to the U.S. as the West pushes back against Russia’s invasion, putting critical infrastructure and companies large and small at risk. Agencies in the U.K. and European Union have also released similar warnings.
So now what?
Talos' current guidance continues to echo the recommendations from CISA that global organizations with ties to Ukraine should carefully consider how to isolate and monitor those connections to protect themselves from potential collateral damage.
Regardless of present threats, our fundamental guidance remains the same. Tech debt, poor cybersecurity hygiene, and out-of-date systems and software will have catastrophic impacts on your organization. On the other side, network segmentation, visibility, asset inventories, prioritized patching and intelligence programs that actively drive changes in your defenses are key to successfully weathering attacks from any adversary.
Other newsy nuggets
A pro-Ukrainian member of the Conti ransomware gang leaked a trove of logs, including some internal chats, as the group faced internal strife over the Russia-Ukraine conflict. Portions of Conti had promised to carry out attacks in favor of Russia’s efforts, but it only took one member to dissent and reveal things like Bitcoin addresses where the Conti gang receives ransom payments, messages that disclose previously unknown victims and proof that the Trickbot botnet had been shut down earlier this year. The Conti drama is the latest sign of how split the ransomware community is over the Ukraine situation. (The Record, Krebs on Security)
Several of the world’s largest tech companies have also weighed in on the Ukraine conflict. Google announced it was donating millions of dollars to Ukraine and would be blocking Russian state-sponsored news outlets on YouTube known for spreading disinformation. Meanwhile, Apple said it would pause the sale of all its products in Russia and was also blocking some media outlets from their App Store. While other companies blocked real-time traffic data in Ukraine to prevent it from being abused. Cybersecurity vendors are also offering free software and services. (Washington Post, ZDNet, CNBC, New York Times)
Microsoft released another relatively light security update Tuesday, disclosing 71 vulnerabilities, including fixes for issues in Azure and the Office suite of products. March’s Patch Tuesday only included two critical vulnerabilities, which is notable considering there weren’t any critical issues in February’s security update. This round of vulnerabilities was notable for having the first-ever security update for an Xbox. The gaming console is susceptible to an elevation of privilege attack, which appears to be the first Xbox-specific security issue ever included in a Patch Tuesday. (Talos, ThreatPost)
Can’t get enough Talos?
- Vulnerability Spotlight: Vulnerabilities in Gerbv could lead to code execution, information disclosure
- Deep dive: Vulnerabilities in ZTE router could lead to complete attacker control of the device
- Threat Roundup for Feb. 25 to March 4
Upcoming events where you can find Talos
Cisco Secure Threat Alert: A Talos Ukraine Briefing (March 11 at 11 a.m. ET)
Livestreamed on all Talos social media platforms
RSA 2022 (June 6 – 9, 2022)
San Francisco, California
Cisco Live U.S. (June 12 – 16, 2022)
Las Vegas, Nevada
Most prevalent malware files from Talos telemetry over the past week
SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934
Typical Filename: Wextract
Claimed Product: Internet Explorer
Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg
SHA 256: 792bc2254ce371be35fcba29b88a228d0c6e892f9a525c330bcbc4862b9765d0
Typical Filename: NAPA_HQ_SetW10config.exe
Claimed Product: N/A
Detection Name: W32.File.MalParent
SHA 256: 02f6094b5d14e880a1fb7eef90228dbb34102788b5e513836750f90894dde185
Typical Filename: WaveSWUpdater.exe
Claimed Product: Wavesor SWUpdater
Detection Name: W32.02F6094B5D.Wavesor.SSO.Talos
SHA 256: 5a8660fdb45a0016725485a8a0e94df5a992953437ac18017850ec6e26d26b4a
Typical Filename: TiWorker.exe
Claimed Product: Microsoft® Windows® Operating System
Detection Name: PUA.Win.Dropper.Miner::tpd
SHA 256: dcbb12bf4dd59d4907cb2c8daad2ba558fb462fdb795159e1b3c1ba8ecba9265
Typical Filename: KMSAuto_Lite_Portable_v1.2.1.zip
Claimed Product: N/A
Detection Name: PUA.Win.Tool.Hackkms::mash.sr.sbx.vioc