Having a solid disaster recovery plan is the glue that keeps your essential functions together when all hell breaks loose.

Source: Aleksei Gorodenkov via Alamy Stock Photo

COMMENTARY

As the conflict in Ukraine enters its third year, the global community is confronted with the grim reality of modern warfare, where cyber operations have emerged as a pivotal battleground. Reflecting on past events and the ongoing crisis, it's evident that cyberattacks have become a constant threat, leaving no sector untouched and rendering the Ukrainian people and their systems vulnerable to relentless aggression.

In January 2022, as tensions loomed, I was tasked with outlining the potential consequences of a Russian attack on Ukraine to a private equity client with operations in the region. Little did we know that the scenarios we discussed would soon transition from hypothetical to harrowing realities.

Fast forward to 2024, and the dire situation persists. Recent cyberattacks targeting Ukrainian state agencies, including the state-owned energy company, and financial institutions such as Monobank, Ukraine's largest mobile-only bank, underscore the severity of the ongoing digital onslaught. The infiltration of Ukrainian telecommunications giant Kyivstar by Russian hackers further highlights the magnitude of the threat, leaving millions without vital services for days.

**How to Prepare for Cyber Warfare**

Amidst this turmoil, organizations must prioritize disaster recovery preparedness to mitigate risks and enhance resilience. Here are essential steps to consider:

1.  Safety of personnel: Beyond technical aspects, acknowledging the human impact of cyber warfare is paramount. With millions of Ukrainian people displaced and seeking refuge, ensuring the safety and well-being of your teams and their vulnerable families should be a top priority.
    
2.  Comprehensive backup strategies: Implementing robust backup solutions for critical data, systems, and networks is essential to restore operations swiftly in the event of a cyberattack. A multisite strategy ensures data survivability even in the face of unforeseen disasters.
    
3.  Cybersecurity training and awareness: Educating employees about cybersecurity best practices significantly reduces the likelihood of successful attacks, making every individual a frontline defender against cyber threats.
    
4.  Multilayered defense mechanisms: Adopting a multilayered approach to cybersecurity, including firewalls, intrusion detection systems, and endpoint protection, strengthens defenses and minimizes vulnerabilities.
    
5.  Incident response planning: Developing a comprehensive incident response plan enables organizations to react swiftly and effectively to cyber breaches, ensuring minimal disruption and damage.
    
6.  Collaboration and information sharing: Collaborating within the cybersecurity community and sharing threat intelligence and best practices bolsters defenses and adaptability against evolving threats.
    

When I reflect on the pre-war briefing on that cold January day in 2022, I recall how dark and macabre my presentation was. Nobody thought that what I was outlining could become reality. But it did. And even worse.

As we continue to witness the devastating impact of cyber warfare in Ukraine, it serves as a poignant reminder of the imperative for preparedness and resilience in the face of modern threats. By implementing proactive cybersecurity measures, prioritizing human safety, and fostering collaboration, organizations can defend against cyberattacks and uphold principles of sovereignty and stability in the digital age. It is essential for organizations to have a solid disaster recovery plan, as it is the glue that keeps your essential functions together when all hell breaks loose. Together, we can navigate the complexities of cyber warfare and work towards a future where technology protects and empowers all, even amidst conflict and adversity.

**About the Author(s)**

Independent Cybersecurity Consultant

Hadi Shavarini an independent cybersecurity consultant is a seasoned CISSP, with over 20 years of extensive Cloud Security experience across Data, Application, IAM, and Infrastructure domains, along with strategic cybersecurity expertise. As a Cybersecurity Consultant and virtual Chief Information Security Officer (vCISO), he specializes in delivering unparalleled advisory and cybersecurity services fortifying organizations' governance, risk, and compliance strategies. Hadi has demonstrated proficiency in steering cybersecurity initiatives across diverse industries, including financial services, healthcare, energy, manufacturing, tech, and retail. As a vCISO and trusted advisor, he excels in fostering strong client relationships, conducting cybersecurity evaluations, and guiding clients in implementing security frameworks and regulatory compliance. Hadi's leadership extends to his roles as CEO & Cofounder at Blue Robin Inc., and CEO & Cofounder at WebMedicPro. His expertise encompasses a wide range of IT solutions, project management, and strategic consultancy in cybersecurity and technology integration.

Preparing for Cyber Warfare: 6 Key Lessons From Ukraine

By Uzair Amir
Residential proxies bypass geo-restrictions, unlocking global content & websites. Enjoy unrestricted browsing, enhanced privacy, and a world of opportunity for business and personal use. Explore residential proxies today!
This is a post from HackRead.com Read the original post: Access Limitless Global Content: How Residential Proxies Enable It

In a world where Internet and global connectivity is everything, it is essential for access to information and content to be unrestricted by borders. However, geographical limitations frequently restrict individuals’ access to web pages, services, and information based on their location, which frustrates users seeking open access to global content.

One such example is China, where Google and Facebook are still banned in 2024. Nevertheless, residential proxies provide a secure method for users to circumvent these restrictions with ease.

****What Are Residential Proxies?** **

Residential proxies are intermediary servers that give you another IP address assigned by a real Internet Service Provider (ISP) to an actual device. Consequently, when you use a residential proxy server, websites receive your requests as if they come from somewhere else which is in fact the location of the proxy itself anywhere across the globe. This not only helps one avoid geo-restrictions but also boosts privacy and security while online.

****Breaking Down Geo-Restrictions** **

Geo-blocking or geo-restrictions refer to limiting contents’ accessibility using geographical locations of its users by certain companies. This is usually witnessed on streaming platforms, news pieces as well as in retail where products/services vary depending on a user’s location. By hiding your true identity behind one’s own IP address using residential proxies, it enables locational-based contents such as news portals be accessed abroad as if it were local.

****Benefits of Using Residential Proxies for Accessing Global Content****

The benefits of having residential proxies do not just stop at watching shows that are restricted geographically in Netflix or viewing country-specific news websites. Here are some key advantages:

*   **Better Privacy and Anonymity**: Your original IP address gets hidden with residential proxy redirecting your internet connection which protects your identity together with personal data from possible cyber threats.
*   **More Diverse Content Availability**: Whether it is a video-sharing platform, social media network or online library, there might be fewer limitations imposed by residential proxies, thus giving a more varied and richer online experience.

****Choosing the Right Residential Proxy Provider** **

Choosing the most suitable residential proxy provider is crucial to having reliable and effective access to worldwide contents. Consider the following:

*   **Reliability and Speed**: Always find those providers with stable connections and high speeds for smooth browsing as well as streaming.
*   **Range of Locations**: Providers who offer a wide selection of countries/cities can help you globalize your internet experience in essence.
*   **Ethical Considerations**: Prefer providers who acquire IP addresses legally and transparently so as not to come across legal issues.

****Case Studies: Success Stories with Residential Proxies********Expanding Global Research Capabilities****

One market research company based in Canada used residential proxies to gain access to streaming content in more than 30 different countries. This was important for their project on analyzing global trends in streaming service preferences and viewership behaviors. Utilizing residential proxies helped to avoid geo-blocking that would prevent accessing regional-specific content portals by the firm.

As a result, some of their findings contributed to improving the content offerings and promotional strategies for a major streaming service across various markets, leading to increased subscriptions in several key regions.

****Enhancing Real-Time Data Accessibility for Financial Services****

Another example would be of a financial analysis corporation who went for proxies in order to get real-time information regarding stock markets from different parts of the world. They adopted residential proxies so that they could appear like locals in areas where before they had to put up with huge delays and denied access due to being flagged as bots. This made it easier for them to have access to such crucial finance reports like market prices instantly, which enabled them to make better-informed investment decisions and offer improved services for their clients.

****Localized Testing That Enhances E-commerce Strategies****

The reason why an e-commerce platform used residential proxies was because they wanted to test their websites all over the world and optimize them at various locations. The software developers of this website used this kind of proxy so that while designing, it would display the site just like it appears on other people’s computers across the globe.

For instance, malfunctioning currency exchange rates, limited use of languages and specific region user interfaces are some localization problems these staff were able to detect. As a result, there was a remarkable increase in user interaction within previously unproductive markets.

A social media management company relied on residential proxies for managing numerous accounts in different countries without violating any rules or regulations leading to bans or restrictions by social networks. It was especially important considering their regional targeting strategy as well as localized content creation tactics.

Thus, these servers were key in handling customer accounts based in Europe, Asia and the US through customization using content and engagement strategies that reflected culture peculiarities and preferences of each area respectively. Therefore, followership growth rate increased significantly, translating into increased client engagement level.

****Content Compliance and Verification****

In its bid to ensure compliance with various countries’ laws, a media house drew upon residential proxies. By doing this it allowed its compliance division members to be accessing content as viewers from those respective nations making sure that anything that is published meets local requirements set by law firms. This way the company managed to avert possible lawsuits and maintained its reputation as a culturally sensitive and responsible firm.

****Conclusion****

The unlimited advantages of residential proxies are that they provide access to worldwide internet content. They do not only eliminate geographical constraints, but also enhance security and privacy when surfing the net.

Residential proxies are gateways through which you can achieve more openness on the web whenever you need, be it for personal or business needs. Consider leveraging these tools for access to global content.

Through residential proxies, both corporate bodies and individuals can embrace innovation by broadening their horizons, gaining deep insights into everyday operations while at the same time optimizing online experiences.

Whether one is a market researcher or financial analyst, an e-commerce entrepreneur or social media manager or even just a content creator of whatever kind, these techniques provide endless opportunities for accessing international content in today’s digital era.

1.  Tools for Testing Your Proxy Servers
2.  Proxy or VPN for Netflix – Which is Best?
3.  Can You Secure Your Smartphone with a Proxy?
4.  Almost Every Major Free VPN Service is a Glorified Data Farm
5.  What is Dark Web, Search Engines, What Not to Do on Dark Web

Access Limitless Global Content: How Residential Proxies Enable It 

The documents contained malicious VBA code, indicating they may be used as lures to infect organizations.

*   During a threat-hunting exercise, Cisco Talos discovered documents with potentially confidential information originating from Ukraine. The documents contained malicious VBA code, indicating they may be used as lures to infect organizations. 
*   The results of the investigation have shown that the presence of the malicious code is due to the activity of a rare multi-module virus that's delivered via the .NET interop functionality to infect Word documents. 
*   The virus, named OfflRouter, has been active in Ukraine since 2015 and remains active on some Ukrainian organizations’ networks, based on over 100 original infected documents uploaded to VirusTotal from Ukraine and the documents’ upload dates. 
*   We assess that OfflRouter is the work of an inventive but relatively inexperienced developer, based on the unusual choice of the infection mechanism, the apparent lack of testing and mistakes in the code. 
*   The author’s design choices may have limited the spread of the virus to very few organizations while allowing it to remain active and undetected for a long period of time. 

As a part of a regular threat hunting exercise, Cisco Talos monitors files uploaded to open-source repositories for potential lures that may target government and military organizations. Lures are created from legitimate documents by adding content that will trigger malicious behavior and are often used by threat actors. 

For example, malicious document lures with externally referenced templates written in Ukrainian language are used by the Gamaredon group as an initial infection vector. Talos has previously discovered military theme lures in Ukrainian and Polish, mimicking the official PowerPoint and Excel files, to launch the so-called “Picasso loader,” which installs remote access trojans (RATs) onto victims' systems. 

In July 2023, threat actors attempted to use lures related to the NATO summit in Vilnius to install the Romcom remote access trojan. These are just some of the reasons why hunting for document lures is vital to any threat intelligence operation.  

In February 2024, Talos discovered several documents with content that seems to originate from Ukrainian local government organizations and the Ukrainian National Police uploaded to VirusTotal. The documents contained VBA code to drop and run an executable with the name \`ctrlpanel.exe\`, which raised our suspicion and prompted us to investigate further.   

Eventually, we discovered over 100 uploaded documents with potentially confidential information about government and police activities in Ukraine. The analysis of the code showed unexpected results – instead of lures used by advanced actors, the uploaded documents were infected with a multi-component VBA macro virus OfflRouter, created in 2015. The virus is still active in Ukraine and is causing potentially confidential documents to be uploaded to publicly accessible document repositories.   

**Attribution **

Although the virus is active in Ukraine, there are no indications that it was created by an author from that region. Even the debugging database string used to name the virus “E:\\Projects\\OfflRouter2\\OfflRouter2\\obj\\Release\\ctrlpanel.pdb” present in the ctrlpanel.exe does not point to a non-English speaker. 

From the choice of the infection mechanism, VBA code generation, several mistakes in the code, and the apparent lack of testing, we estimate that the author is an inexperienced but inventive programmer.  

The choices made during the development limited the virus to a specific geographic location and allowed it to remain active for almost 10 years. 

**OfflRouter has been confined to Ukraine **

According to earlier research by the Slovakian government CSIRT (Computer Security Incident Response Team) team, some infected documents were already publicly available on the Ukrainian National Police website in 2018.  

The newly discovered infected documents are written in Ukrainian, which may have contributed to the fact that the virus is rarely seen outside Ukraine. Since the malware has no capabilities to spread by email, it can only be spread by sharing documents and removable media, such as USB memory sticks with infected documents. The inability to spread by email and the initial documents in Ukrainian are additional likely reasons the virus stayed confined to Ukraine.  

One of the documents was recently uploaded to VirusTotal from Ukraine. 

The virus targets only documents with the filename extension .doc, the default extension for the OLE2 documents, and it will not try to infect other filename extensions. The default Word document filename extension for the more recent Word versions is .docx, so few documents will be infected as a result.  

This is a possible mistake by the author, although there is a small probability that the malware was specifically created to target a few organizations in Ukraine that still use the .doc extension, even if the documents are internally structured as Office Open XML documents.  

Other issues prevented the virus from spreading more successfully and most of them are found in the executable module, ctrlpanel.exe, dropped and executed by the VBA part of the code.  

When the virus is run, it attempts to set the value Ctrlpanel of the registry key HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run so that it runs on the Windows boot. An internal global string \_RootDir is used as the value, however, the string only contains the folder where the ctrlpanel.exe is found and not its full path, which makes this auto-start measure fail.  

One interesting concept in the .NET module is the entire process of infecting documents. As a part of the infection process, the VBA code is generated by combining the code taken from the hard-coded strings in the module with the encoded bytes of the ctrlpanel.exe binary. This makes the generated code the same for every infection cycle and rather easy to detect. Having a VBA code generator in the .NET code has more potential to make the infected documents more difficult to detect.  

Once launched, the executable module stays active in memory and uses threading timers to execute two background worker objects, the first one tasked with the infection of documents and the second one with checking for the existence of the potential plugin modules for the .NET module.  

The infection background worker enumerates the mounted drives and attempts to find documents to infect by using the Directory.Getfiles function with the string search pattern “\*.doc” as a parameter.  

One of the parameters of the function is the SearchOption parameter which specifies the option to search in subdirectories or only the in the root folder. For fixed drives, the module chooses to search only the root folder, which is an unusual choice, as it is quite unlikely that the root folder will hold any documents to infect.  

For removable drives, the module also searches all subfolders, which likely makes it more successful. Finally, it checks the list of recent documents in Word and attempts to infect them, which contributes to the success of the virus spreading to other documents on fixed drives.  

__The choice of document filename extensions is limited to .doc.__

**OfflRouter VBA code drops and executes the main executable module **

The VBA part of the virus runs when a document is opened, provided macros are enabled, and it contains code to drop and run the executable module ctrlpanel.exe.

__The VBA part creates and executes the executable module of the virus.__

 The beginning of the macro code defines a function that checks if the file already exists and if it does not, it opens it for writing and calls functions CheckHashX, which at first glance looks like containing junk code to reset the value of the variable \`Y\`. However, the variable Y is defined as a private property with an overridden setter function, which converts the variable value assignment into appending the supplied value to the end of the opened executable module C:\\Users\\Public\\ctrlpanel.exe. Every code line that looks like an assignment appends the assigned value to the end of the file, and that is how the executable module is written.  

This technique is likely implemented to make the detection of the embedded module a bit more difficult, as the executable mode is not stored as a contiguous block, but as a sequence of integer values that look like being assigned to a variable.  

To a more experienced analyst, this code looks like garbage code generated by polymorphic engines, and it raises the question of why the author has not extended the code generation to pseudo-randomize the code.  

__Infected Word documents drop the .NET component that infects other documents__. 

The virus is unique, as it consists of VBA and executable modules with the infection logic contained in the PE executable .NET module.  

__The property Y has an overridden setter function to write into a file.__

**Ctrlpanel.exe .NET module **

The unique infection method used by ctrlpanel.exe is through the Office Interop classes of .NET VBProject interface Microsoft.Vbe.Interop and the Microsoft.Office.Interop.Word class that exposes the functionality of the Word application.  

The Interop.Word class is used to instantiate a Document class which allows access to the VBA macro code and the addition of the code to the target document file using the standard Word VBA functions.  

When the .NET module ctrlpanel.exe is launched, it attempts to open a mutex ctrlpanelapppppp to check if another module instance is already running on the system. If the mutex already exists, the process will terminate.  

Suppose no other module instances are running. In that case, ctrlpanel.exe creates the mutex named “ctrlpanelapppppp”, attempts to set the registry run key so the module runs on system startup, and finally initializes two timers to run associated background timer callbacks – VBAClass\_Timer\_Callback and PluginClass\_TimerCallback, implemented to start the Run function of the classes VBAClass and PluginClass, respectively. 

__Ctrlpanel.exe has two threads of execution.__

The VBAClass\_Timer\_Callback will be called one second after the creation of VBAClass\_Timer timer and the PluginClass\_Timer\_Callback three seconds after the creation of the PluginClass\_Timer.  

The full functionality of the executable module is implemented by two classes, VBAClass and PluginClass, specifically within their respective functions Backgroundworker\_DoWork. 

**_VBAClass is tasked with generating VBA code and infecting other Word documents_ **

 The background worker function runs in an infinite loop and contains two major parts, the first is tasked with the document infection and the second with finding the documents to infect, the logic we already described above.  

The infection iterates through a list of the document candidates to infect and uses an innovative method to check the document infection marker to avoid multiple infection processes – the function checks the document creation metadata, adds the creation times, and checks the value of the sum. If the sum is zero, the document is considered already infected.  

__The file system time of creation is used as an infection marker.__

If the document to be infected is created in the Word 97-2003 binary format (OLE2), the document will be saved with the same name in Microsoft Office Open XML format with enabled macros (DOCX).  

The infection uses the traditional VBA class infection routine. It accesses the Visual Basic code module of the first VBComponent and then adds the code generated by the function MyScript to the document’s code module. After that, the infected document is saved.  

__The target document is converted to .docx and then infected.__

The code generation function MyScript contains static strings and instructions to dynamically generate code that will be added to infected documents. It opens its own executable ctrlpanel.exe for reading and reads the file 32-bit by 32-bit value which gets converted to decimal strings that can be saved as VBA code. For every repeating 32-bit value, most commonly for zero, the function creates a for loop to write the repeating value to the dropped file. The purpose is unclear, but it is likely to achieve a small saving in the size of the code and compress it.  

__Repeating 32-bit values are “compressed.”__

For every 4,096 bytes, the code generates a new CheckHashX subroutine to break the code into chunks. The purpose of this is not clear.  

__The VBA code infecting files is dynamically created.__

 After the file is infected, the background worker adds the infection marker file by setting the values of hour, minute, second, and millisecond creation times to zero.

__The infection market is set after the infected file has been copied to its original location.__

**_PluginClass is tasked with discovering and loading plugins_ **

Ctrlpanel.exe can also search for potential plugins present on removable media, which is very unusual for simple viruses that infect documents. This may indicate that the author’s aims were a bit more ambitious than the simple VBA infection. 

Searching for the plugins in removable drives is unusual as it requires the plugins to be delivered to the system on a physical media, such as a USB drive or a CD-ROM. The plugin loader searches for any files with the filename extension .orp, decodes its name using Base64 decoding function, decodes the file content using Base64 decoding, copies the file into the c:\\users\\public\\tools folder with the previously decoded name and the extension .exe and finally executes the plugin. 

__Any plugins found on a removable drive are decoded, copied to drive C: and launched.__

If the plugins are already present on an infected machine, ctrlpanel.exe will try to encode them using Base64 encoding, copy them to the root of the attached removable media with the filename extension “.orp” and set the newly created file attributes to the values system and hidden so that they are not displayed by default by Windows File Explorer. 

**It is unclear if the initial vector is a document or the executable module ctrlpanel.exe **

The advantage of the two-module virus is that it can be spread as a standalone executable or as an infected document. It may even be advantageous to initially spread as an executable as the module can run standalone and set the registry keys to allow execution of the VBA code and changing of the default saved file formats to doc before infecting documents. That way, the infection may be a bit stealthier.  

The following registry keys are set: 
HKEY\_CURRENT\_USER\\Software\\Microsoft\\Office\\14.0\\Word\\Security\\AccessVBOM (to allow access to Visual Basic Object Model by the external applications) 
  
HKEY\_CURRENT\_USER\\Software\\Microsoft\\Office\\14.0\\Word\\Security\\VBAWarnings (to disable warnings about potential Macro code in the infected documents) 
  
HKEY\_CURRENT\_USER\\Software\\Microsoft\\Office\\14.0\\Word\\Options\\DefaultFormat (to set the default format to DOC) 

**Coverage **

Ways our customers can detect and block this threat are listed below. 

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.  

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here. 

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat. 

Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device.  

Cisco Secure Malware Analytics (formerly Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products. 

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here. 

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.  

Additional protection with context to your specific environment and threat data are available from the Firewall Management Center.  

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.  

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. Snort SIDs for this threat are  

The following ClamAV signatures detect malware artifacts related to this threat: 

Doc.Malware.Valyria-6714124-0 

Win.Virus.OfflRouter-10025942-0 

**IOCs **

IOCs for this research can also be found at our GitHub repository here. 

10e720fbcf797a2f40fbaa214b3402df14b7637404e5e91d7651bd13d28a69d8 - .NET module ctrlpanel.exe  

**Infected documents  **

2260989b5b723b0ccd1293e1ffcc7c0173c171963dfc03e9f6cd2649da8d0d2c 

2b0927de637d11d957610dd9a60d11d46eaa3f15770fb474067fb86d93a41912 

802342de0448d5c3b3aa6256e1650240ea53c77f8f762968c1abd8c967f9efd0 

016d90f337bd55dfcfbba8465a50e2261f0369cd448b4f020215f952a2a06bce 

**Mutex **

ctrlpanelapppppp

OfflRouter virus causes Ukrainian users to upload confidential documents to VirusTotal

But even with that focus, the sophisticated threat group has continued operations against targets globally, including the US, says Google's Mandiant.

Source: Militarist via Shutterstock

The formidable Sandworm hacker group has played a central role supporting Russian military objectives in Ukraine over the past two years even as it has stepped up cyberthreat operations in other regions of strategic political, economic, and military interest to Russia.

That's the upshot of the analysis of the threat actor's activities undertaken by Google Cloud's Mandiant security group. They found that Sandworm — or APT44, as Mandiant has been tracking it — to be responsible for nearly all disruptive and destructive cyberattacks in Ukraine since Russia's invasion in February 2022.

In the process, the threat actor established itself as the primary cyberattack unit within Russia's Main Intelligence Directorate (GRU) and among all Russian state-backed cybergroups, Mandiant assessed. No other cyber outfit appears as totally integrated with Russia's military operators as Sandworm is presently, the security vendor noted in a report this week that offers a detailed look at the group's tools, techniques, and practices.

"APT44 operations are global in scope and mirror Russia's wide ranging national interests and ambitions," Mandiant warned. "Even with an ongoing war, we have observed the group sustain access and espionage operations across North America, Europe, the Middle East, Central Asia, and Latin America."

One manifestation of Sandworm's broadening global mandate was a series of attacks on three water and hydroelectric facilities in the US and France earlier this year by a hacking outfit called CyberArmyofRussia\_Reborn, which Mandiant believes is controlled by Sandworm.

The attacks — which appear to have been more a demonstration of capabilities than anything else — caused a system malfunction at one of the attacked US water facilities. In October 2022, a group that Mandiant believes was APT44 deployed ransomware against logistics providers in Poland in a rare instance of deploying a disruptive capability against a NATO country.

**Global Mandate**

Sandworm is a threat actor that has been active for more than a decade. It's well known for numerous high-profile attacks such as the one in 2022 that took down sections of Ukraine's power grid just prior to a Russian missile strike; the 2017 NotPetya ransomware outbreak, and an attack at the opening ceremony of the Pyeongchang Olympic Games in South Korea. The group has traditionally targeted government and critical infrastructure organizations, including those in the defense, transportation, and energy sectors. The US government and others have attributed the operation to a cyber unit within Russia's GRU. In 2020, the US Justice Department indicted several Russian military officers for their alleged role in various Sandworm campaigns.

"APT44 has an extremely broad targeting remit," says Dan Black, principal analyst at Mandiant. "Organizations who develop software or other technologies for industrial control systems and other critical infrastructure components should have APT44 front and center in their threat models."

Gabby Roncone, a senior analyst with Mandiant's Advanced Practices team, includes media organizations among APT44/Sandworm's targets, especially during elections. "Many key elections of high interest to Russia are taking place this year, and APT44 may attempt to be a key player" in them, Roncone says.

Mandiant itself has been tracking APT44 as a unit within Russia's military intelligence. "We track a complex external ecosystem that enables their operations, including state-owned research entities and private companies," Roncone adds.

Within Ukraine, Sandworm's attacks have increasingly focused on espionage activity with a view to gathering information for Russian military forces' battlefield advantage, Mandiant said. In many cases, the threat actor's favorite tactic for gaining initial access to target networks has been through exploitation of routers, VPNs, and other edge infrastructure. It's a tactic that the threat actor has been increasingly using since Russia's Ukraine invasion. While the group has accumulated a vast collection of bespoke attack tools, it has often relied on legitimate tools and living-off-the-land techniques to evade detection.

**An Elusive Enemy**

"APT44 is adept at flying under the detection radar. Building detections for commonly abused open source tools and living-off-the-land methods is critical," Black says.

Roncone also advocates that organizations map and maintain their network environments and segment networks where possible because of Sandworm's penchant for targeting vulnerable edge infrastructure for initial entry and re-entry into environments. "Organizations should additionally be wary of APT44 pivoting between espionage and disruptive goals after gaining access to networks," Roncone notes. "For folks working in media and media organizations in particular, digital safety training for individual journalists is key."

Black and Roncone perceive APT44/Sandworm's use of hacking fronts like CyberArmyofRussia\_Reborn as an attempt to draw attention to its campaigns and for deniability purposes.

"We have seen APT44 repeatedly use the CyberArmyofRussia\_Reborn Telegram to post evidence from and draw attention to its sabotage activity," Black says. "We cannot conclusively determine if this is an exclusive relationship but judge that APT44 has the ability to direct and influence what the persona posts on Telegram."

Black says APT44 could be using personas such as CyberArmyofRussia\_Reborn as a way to avoid direct attribution in case they cross a line or provoke a response. "But the second \[motive\] is that they create a fake sense of popular support for Russia's war — a false impression that average Russians are self-assembling to join the cyber fight against Ukraine."

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

'Sandworm' Group Is Russia's Primary Cyberattack Unit in Ukraine

Cyber Army of Russia Reborn, a group with ties to the Kremlin’s Sandworm unit, is crossing lines even that notorious cyberwarfare unit wouldn’t dare to.

Russia's military intelligence unit known as Sandworm has, for the past decade, served as the Kremlin’s most aggressive cyberattack force, triggering blackouts in Ukraine and releasing self-spreading, destructive code in incidents that remain some of the most disruptive hacking events in history. In recent months, however, one group of hackers linked to Sandworm has attempted a kind of digital mayhem that, in some respects, goes beyond even its predecessor: They've claimed responsibility for directly targeting the digital systems of a hydroelectric dam in France and water utilities in the United States and Poland, flipping switches and changing software settings in an apparent effort to sabotage those countries’ critical infrastructure.

Since the beginning of this year, a hacktivist group known as the Cyber Army of Russia, or sometimes Cyber Army of Russia Reborn, has taken credit on at least three occasions for hacking operations that targeted US and European water and hydroelectric utilities. In each case, the hackers have posted videos to the social media platform Telegram that show screen recordings of their chaotic manipulation of so-called human-machine interfaces, software that controls physical equipment inside those target networks. The apparent victims of that hacking include multiple US water utilities in Texas, one Polish wastewater treatment plant, and a French hydroelectric plant—though it’s not clear exactly how much disruption or damage the hackers may have managed against any of those facilities.

A new report published today by cybersecurity firm Mandiant draws a link between that hacker group and Sandworm, which has been identified for years as Unit 74455 of Russia’s GRU military intelligence agency. Mandiant found evidence that Sandworm helped create Cyber Army of Russia Reborn and tracked multiple instances when data stolen from networks that Sandworm had attacked was later leaked by the Cyber Army of Russia Reborn group. Mandiant couldn't determine, however, whether Cyber Army of Russia Reborn is merely one of the many cover personas that Sandworm has adopted to disguise its activities over the last decade or instead a distinct group that Sandworm helped to create and collaborated with but which is now operating independently.

Either way, Cyber Army of Russia Reborn’s hacking has now, in some respects, become even more brazen than Sandworm itself, says John Hultquist, who leads Mandiant’s threat-intelligence efforts and has tracked Sandworm’s hackers for nearly a decade. He points out that Sandworm has never directly targeted a US network with a disruptive cyberattack—only planted malware on US networks in preparation for one or, in the case of its 2017 NotPetya ransomware attack, infected US victims indirectly with self-spreading code. Cyber Army of Russia Reborn, by contrast, hasn’t hesitated to cross that line.

“Even though this group is operating under this persona that’s tied to Sandworm, they do seem more reckless than any Russian operator we’ve ever seen targeting the United States,” Hultquist says. “They’re actively manipulating operational technology systems in a way that’s highly aggressive, probably disruptive, and dangerous.”

**An Overflowed Tank and a French Rooster**

Mandiant didn't have access to the targeted water utility and hydroelectric plant networks, so wasn't able to determine how Cyber Army of Russian Reborn got access to those networks. One of the group’s videos posted in mid-January, however, shows what appears to be a screen recording that captures the hackers’ manipulation of software interfaces for the control systems of water utilities in the Texas towns of Abernathy and Muleshoe. “We are starting our next raid across the USA,” reads a message introducing the video on Telegram. “In this video there are a couple of critical infrastructure objects, namely water supply systems😋”

A screen recording shows Cyber Army of Russian Reborn clicking buttons on the interface of a water utility in Texas.

Cyber Army of Russia Reborn via Telegram

The video then shows the hackers frenetically clicking around the target interface, changing values and settings for both utilities’ control systems. Though it’s not clear what effects that manipulation may have had, the Texas newspaper _The Plainview Herald_ reported in early February that local officials had acknowledged the cyberattacks and confirmed some level of disruption. The city manager for Muleshoe, Ramon Sanchez, reportedly said in a public meeting that the attack on the town’s utility had resulted in one water tank overflowing. Officials for the nearby towns of Abernathy and Hale Center—a target not mentioned in the hackers’ video—also said they’d been hit. All three towns’ utilities, as well as another, in Lockney, reportedly disabled their software to prevent its exploitation, but officials said that service to the water utilities’ customers was never interrupted. (WIRED reached out to officials from Muleshoe and Abernathy but didn't immediately hear back.)

Another screen recording shows Cyber Army of Russian Reborn tampering with the control systems of a Polish wastewater treatment plant, seemingly changing settings at radom.

Cyber Army of Russia Reborn via Telegram

Another video the Cyber Army of Russia Reborn hackers posted in January shows what appears to be a screen recording of a similar attempted sabotage of a wastewater utility in Wydminy, a village in Poland, a country whose government has been a staunch supporter of Ukraine in the midst of Russia’s invasion. “Hi everybody, today we will play with the Polish wastewater treatment plants. Enjoy watching!” says an automated Russian voice at the beginning of the video. The video then shows the hackers flipping switches and changing values in the software, set to a Super Mario Bros. soundtrack.

A third screen recording shows Cyber Army of Russia Reborn's access to a French water utility.

Cyber Army of Russia Reborn via Telegram

In a third video, published in March, the hackers similarly record themselves tampering with the control system for what they describe as the Courlon Sur Yonne hydroelectric dam in France. That video was posted just after French president Emmanuel Macron had made public statements suggesting he would send French military personnel to Ukraine to aid in its war against Russia. The video starts by showing Macron in the form of a rooster holding a French flag. “We recently heard a French rooster crowing,” the video says. “Today we’ll take a look at the Courlon dam and have a little fun. Enjoy watching, friends. Glory to Russia!”

In their Telegram post, the hackers claim to have lowered the French dam’s water level and stopped the flow of electricity it produced, though WIRED couldn’t confirm those claims. Neither the Wydminy facility nor the owner of the Courlon dam, Energies France, responded to WIRED’s request for comment.

In the videos, the hackers do display some knowledge of how a water utility works, as well as some ignorance and random switch-flipping, says Gus Serino, the founder of cybersecurity firm I&C Secure and a former staffer at a water utility and at the infrastructure cybersecurity firm Dragos. Serino notes that the hackers did, for instance, change the “stop level” for water tanks in the Texas utilities, which could have triggered the overflow that officials mentioned. But he notes that they also made other seemingly arbitrary changes, particularly for the Wydminy wastewater plant, that would have had no effect.

Hackers Linked to Russia’s Military Claim Credit for Sabotaging US Water Utilities

Israel prepares for a response to Iran's April 14 drone and missile attack.

Source: Birgit Korber via via Alamy Stock Photo

Adding fuel to speculation that Israel may wage strategic cyberattacks on Iran in response to the April 14 aerial drone and missile attack, the Israeli Defense Forces (IDF) held simulated cyber and combat warfare drills.

Israel's Northern Command forces held the drills with the nation's cyber and technology units to test the combination of cyber and kinetic warfare in preparation to the nation's response to the Iranian attack, according to The Jerusalem Post.

Earlier this week, Israeli citizens received threatening text messages purportedly from an Iranian-backed hacking team warning that it has hijacked the nation's radar systems, stating: "You have only a few hours to fix the systems."

Israeli officials had not verified the group's claims.

**About the Author(s)**

Israeli Defense Forces Hold Hybrid Cyber &amp; Military Readiness Drills

Incorrect access control in Dolibarr ERP CRM versions 19.0.0 and before, allows authenticated attackers to steal victim users' session cookies and CSRF protection tokens via user interaction with a crafted web page, leading to account takeover.

Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2024-31503

**Dolibarr vulnerable to Cross-Site Request Forgery**

High severity GitHub Reviewed Published Apr 17, 2024 to the GitHub Advisory Database • Updated Apr 17, 2024

**Package**

composer dolibarr/dolibarr (Composer)

**Affected versions**

<= 19.0.0

**Description**

Published to the GitHub Advisory Database

Apr 17, 2024

Last updated

Apr 17, 2024

GHSA-6ppg-rgrg-f573: Dolibarr vulnerable to Cross-Site Request Forgery

# Overview
Some end users of OpenFGA v1.5.0 or later are vulnerable to authorization bypass when calling Check or ListObjects APIs.

# Am I Affected?
You are very likely affected if your model involves exclusion (e.g. `a but not b`) or intersection (e.g. `a and b`) and you have any cyclical relationships. If you are using these, please update as soon as possible.

# Fix
Update to v1.5.3

# Backward Compatibility
This update is backward compatible.

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2024-31452

**OpenFGA Authorization Bypass**

High severity GitHub Reviewed Published Apr 16, 2024 in openfga/openfga • Updated Apr 16, 2024

**Package**

gomod github.com/openfga/openfga (Go)

**Affected versions**

\>= 1.5.0, < 1.5.3

**Overview**

Some end users of OpenFGA v1.5.0 or later are vulnerable to authorization bypass when calling Check or ListObjects APIs.

**Am I Affected?**

You are very likely affected if your model involves exclusion (e.g. a but not b) or intersection (e.g. a and b) and you have any cyclical relationships. If you are using these, please update as soon as possible.

**Fix**

Update to v1.5.3

**Backward Compatibility**

This update is backward compatible.

**References**

*   GHSA-8cph-m685-6v6r
*   openfga/openfga@b6a6d99

Published to the GitHub Advisory Database

Apr 16, 2024

Last updated

Apr 16, 2024

GHSA-8cph-m685-6v6r: OpenFGA Authorization Bypass

By Uzair Amir
Discover how omnichannel campaign management helps businesses thrive in 2024. Learn the benefits & unlock the secrets to success in today's tech-driven market.
This is a post from HackRead.com Read the original post: The Future of Business Communications: Trends Shaping the Industry

Keeping up with technology trends, especially focusing on effective business communication with your customers across all platforms, is crucial for your company’s success. Trends in 2024 include integrating omnichannel campaign management solutions to make business communications as effective and efficient as possible.

Integration testing services play a critical role in this context. They ensure that the various components of omnichannel platforms work together flawlessly, providing a consistent and reliable customer experience across all channels.

We will explore the following topics: what makes a successful business, the importance of knowing technology trends, and how a business can benefit from an omnichannel campaign management platform.

****What makes a successful business?********Provides high-quality products and services****

A successful business provides quality products and services that meet or exceed the customers’ expectations to build customers’ trust and loyalty.

****Enhances customer experience through omnichannel campaign management strategy****

A good, successful business provides an exceptional, quality customer experience. To grow your business, continue beyond closing a sale. The goal should be to satisfy customers with the products and services you provide and to consistently stay responsive in communicating with your customers to ensure their happiness with their purchase or subscription.

This includes knowing how else you can make customers happy by turning them into repeat buyers and by receiving positive feedback, recommendations, and referrals from them due to your high-quality customer service.

****Focuses on customers’ needs****

A successful business understands what its customers need, and its goal is to consistently deliver these needs and preferences to ensure customer retention and satisfaction.

****Innovates and adapts to current trends in technology****

To thrive, a business should innovate and adapt to current trends in technology to stay relevant, capitalize on emerging opportunities, and gain an advantage over existing competitors.

****The importance of knowing the trends in Technology****

Staying abreast with the latest trends in technology in business communications is crucial for the following reasons:

****It sustains competitiveness****

Keeping up with technological advancements guarantees that your business stays competitive in the market. Embracing innovative communication tools and tactics enables you to stay aligned with industry norms and fulfil customer demands, giving you a competitive advantage over rivals who may be slower to adopt new technologies.

****It enhances customer experience****

Trends in technology significantly influence customer experiences. By utilizing cutting-edge communication tools and platforms, businesses can offer smooth, tailored interactions across various channels. This elevates customer satisfaction, nurtures loyalty, and boosts the probability of repeat purchases and favourable recommendations.

****It improves productivity and efficiency****

Incorporating cutting-edge technology into business communications streamlines operations automates tasks, and boosts overall efficiency and productivity. Advanced collaboration platforms, AI-driven chatbots, and cloud-based communication solutions expedite decision-making, streamline workflows, and reduce turnaround times.

****It reduces the risks****

Neglecting technological trends in business communications can leave businesses vulnerable to risks. Outdated systems are susceptible to security breaches, compliance issues, and operational inefficiencies. Keeping up with the latest technologies allows businesses to anticipate and address potential risks, protect sensitive information, and stay ahead in an ever-changing digital environment.

****It adjusts to evolving consumer behaviour****

Adapting to changes in consumer behaviour enables businesses to tailor their communication strategies accordingly. Whether it involves embracing social media marketing, enhancing mobile experiences, or incorporating voice assistants, staying updated allows businesses to connect with customers where they are and effectively engage with them.

****How a business can benefit from an omnichannel campaign managing platform********Increase in customer engagement and loyalty****

An omnichannel campaign management platform enables businesses to interact with customers through various channels, including email, SMS, social media, etc., ultimately resulting in higher engagement and loyalty.

****Improved targeting and segmentation**    **

Enhanced targeting and segmentation enable businesses to customize marketing campaigns for specific customer segments, considering demographics, behaviour, and preferences. This yields more relevant and effective communication, ultimately driving higher conversion rates and ROI.

****Streamlined campaign management****

It offers businesses a centralized platform for planning, executing, and analyzing marketing campaigns across various channels, simplifying the management process, minimizing manual tasks, and enhancing overall efficiency.

****Seamlessly integrates with existing CRM, email marketing, and other business systems****

This seamless integration guarantees data coherence and enables personalized communication across different channels.

****Achieve a competitive advantage****

By utilizing an omnichannel campaign management platform, businesses can achieve a competitive advantage by delivering exceptional customer experiences, boosting revenue, and distinguishing themselves from rivals using conventional marketing approaches.

****Conclusion****

Staying updated with technology trends in business communications is essential for maintaining competitiveness and achieving success. One way to do this is to leverage omnichannel campaign management platforms. These platforms boost customer engagement, simplify campaign management, and seamlessly integrate with current systems, offering businesses a competitive edge.

****_RELATED ARTICLES_****

1.  How Cross-Chain DEXes Democratize the Crypto Market?
2.  Understanding Software Supply Chain and How to Secure It
3.  Digital Transformation in Financial Industry – Role of Fintech
4.  15 Best SaaS SEO Experts That Will Help You Dominate Online
5.  Zerocopter Debuts First Hacker-Led Cybersecurity Marketplace

The Future of Business Communications: Trends Shaping the Industry

Quantum computing on the level that poses a threat to current cybersecurity measures is still years off. Here's what enterprises can do now to avoid future disruptions.

Source: DM via Adobe Stock

Quantum computing is being driven by applications that process massive calculations for big data. That includes developing new pharmaceuticals, performing financial modeling, developing next-generation communications capabilities for terrestrial and extraterrestrial applications, optimizing logistics, and running finite element analysis, as well as everyday applications in healthcare, manufacturing, and critical infrastructure.

But when the promise of quantum computing is finally realized, it will disrupt more than just high-performance computer systems (HPCSs); it will turn classical cybersecurity on its head. Today's unbreakable, hardware-based cryptography systems will be child's play for quantum computing algorithms, warn cybersecurity experts, who caution that the level of compute power from quantum computers will dwarf today's.

Here's some of what enterprise executives and board members need to consider when preparing for the upcoming migration to the new computing environment.

**What Is the Quantum Computing Threat?**

Jérémie Guillaud, chief of theory at French quantum computer manufacturer Alice & Bob, says companies should identify which systems and data eventually could be vulnerable to an attack. He suggests planning to have to defend against an attacking machine with 1 million qubits. That provides a starting point: setting a goal to migrate vulnerable systems to a quantum computer with more than 1 million qubits.

To put this in perspective, in December, IBM's Condor quantum computer had 1,121 qubits. That baseline offers organizations somewhere to start their planning. Despite the progress made in the past 15 years of quantum computing development, the threat to enterprises is likely still a decade away, Guillaud estimates.

While qubits, like classical bits, are either positive or negative, superpositioned qubits, called cat qubits, can be both positive and negative, existing in two quantum states concurrently. Today there are no defenses against a cat qubit attack, although various organizations are experimenting with new approaches.

"Things that we don't do today can have a massive impact on the future, particularly around the concept of organizations that are harvesting data today, data that's in transit, with our idea of being able to be decrypted at a later stage," says Trevor Horwitz, founder and CISO of TrustNet, a provider of managed security, consulting, and compliance services. "It's not just about the risk of things happening today; it's being able to predict what risks we're going to be facing."

The effort, commonly called "harvest now, decrypt later," makes current highly secure data not as secure in the long term as the enterprise thinks. Boards need to begin their efforts now to secure data for a future that effectively is still unknown.

**The Board's Role With Quantum Computing**

If boards wait until quantum computers are in commercial production, it will be too late to start planning network and system upgrades, which could take up to a decade to fully implement, says Lisa Edwards, executive chair of Diligent Institute, the governance think tank and global research arm of Diligent Corp.

"The way that I think about it is this has moved from being a physics problem to being an engineering problem, and it's very rapidly becoming an operations problem," she notes. "I do think it's the appropriate time for boards to start becoming more knowledgeable about it, becoming conversant about it. The role of the board is not to tell the CISO which lattice-based encryption they should use. The role of the board is to ask the question: 'What are we doing? Are we prepared if this were announced tomorrow? What would happen?'"

Tom Patterson, managing director of emerging technology security at Accenture, agrees. Corporate boards should recognize that while the threats are real, they do not need to be quantum physicists to develop defenses — although they will need to listen to those who are in order to succeed, he says.

While boards have other cybersecurity concerns, they need to start planning for the future, Patterson adds. For example, boards can require that new infrastructure device purchases, such as routers and firewalls, have quantum-resistant or upgradable firmware. Since these purchases are often already scheduled as part of network maintenance, there are no unanticipated purchases.

As Patterson notes, one major vulnerability of classical computing is that firmware is hard-coded. That means hardware needs to be replaced rather than upgraded, since the firmware is permanent. As attackers find new ways to breach systems, new approaches are needed to improve firmware.

One approach, called cryptographic agility, allows organizations to update and rewrite firmware by automatically rotating algorithms at the press of a button. Such a system was demonstrated on low-Earth orbit satellites in 2023. Crypto agility could kill the need for hardware replacements when firmware is compromised, which would make a board look smart indeed.

**About the Author(s)**

Stephen Lawton is a veteran journalist and cybersecurity subject matter expert who has been covering cybersecurity and business continuity for more than 30 years. He was named a Global Top 25 Data Expert for 2023 and a Global Top 20 Cybersecurity Expert for 2022. Stephen spent more than a decade with SC Magazine/SC Media/CyberRisk Alliance, where he served as editorial director of the content lab. Earlier he was chief editor for several national and regional award-winning publications, including MicroTimes and Digital News & Review. Stephen is the founder and senior consultant of the media and technology firm AFAB Consulting LLC. You can reach him at \[email protected\].

Tag

#git