Satellite monitors discovered two vessels with their trackers turned off in the area of the pipeline prior to the suspected sabotage in September.

The first gas leaks on the Nord Stream 2 pipeline in the Baltic Sea were detected in the early hours of September 26, pouring up to 400,000 tons of methane into the atmosphere. Officials immediately suspected sabotage of the international pipeline. New analysis seen by WIRED shows that two large ships, with their trackers off, appeared around the leak sites in the days immediately before they were detected.

According to the analysis by satellite data monitoring firm SpaceKnow, the two “dark ships,” each measuring around 95 to 130 meters long, passed within several miles of the Nord Stream 2 leak sites. “We have detected some dark ships, meaning vessels that were of a significant size, that were passing through that area of interest,” says Jerry Javornicky, the CEO and cofounder of SpaceKnow. “They had their beacons off, meaning there was no information about their movement, and they were trying to keep their location information and general information hidden from the world,” Javornicky adds.

The discovery, which was made by analyzing images from multiple satellites, is likely to further increase speculation about the cause of the blasts. Multiple countries investigating the incident believe the Nord Stream 1 and 2 pipelines were rocked by a series of explosions, with many suspicions directed at Russia as its full-scale invasion of Ukraine continues. (Russia has denied its involvement.) Once SpaceKnow identified the ships, it reported its findings to officials at NATO, who are investigating the Nord Stream incidents. Javornicky says NATO officials asked the company to provide more information. 

NATO spokesperson Oana Lungescu says it does not comment on the “details of our support or the sources used” but confirmed that NATO believes the incident was a “deliberate and irresponsible act of sabotage” and it has increased its presence in the Baltic and North Seas. However, a NATO official, who did not have permission to speak publicly, confirmed to WIRED that NATO had received SpaceKnow’s data and said satellite imagery can prove useful for its investigations.

To detect the ships, Javornicky says, the company scoured 90 days of archived satellite images for the area. The company analyzes images from multiple satellite systems—including paid and free services—and uses machine learning to detect objects within them. This includes the ability to monitor roads, buildings, and changes in landscapes. "We have 38 specific algorithms that can detect military equipment," Javornicky says, adding that SpaceKnow’s system can detect specific models of aircraft on landing strips.

Once it gathered archive images of the area, SpaceKnow created a series of polygons around the gas leak sites. The smallest of these, around 400 square meters, covered the immediate blast area, and larger areas of interest covered several kilometers. In the weeks leading up to the explosions, SpaceKnow detected 25 ships passing through the region, from “cargo ships to multipurpose larger ships,” Javornicky says. In total, 23 of these vessels had their automatic identification system (AIS) transponders turned on. Two did not have AIS data turned on, and these ships passed the area during the days immediately ahead of the leaks being detected.

By international law, large ships are required to install and use AIS. This vessel tracking system was created to help ships navigate and avoid potential collisions with other vessels. When turned on, AIS will broadcast a ship’s name, location, the direction of travel, speed, and other information.

It is relatively rare for ships to turn off their AIS transponders. Ships that “go dark” are often suspected of being involved in illegal fishing or modern slavery, with officials in Europe previously investigating ships that are believed to have turned off their AIS transponders. “It would not be common practice \[to have AIS turned off\], unless the vessels have a classified military mission or they would have some clandestine objectives, because the Baltic Sea is one of the busiest seas in the world in terms of commercial traffic,” says Otto Tabuns, the director of the Baltic Security Foundation, an NGO that focuses on the region.

Tabuns says the Baltic Sea has multiple main “arteries” where ships travel and it is “responsible” for ships in the area to have their AIS trackers turned on. Collisions at sea can be deadly and environmentally ruinous. “There are many places in the \[Baltic\] sea that are not navigable for bigger ships,” Tabuns says. “There are also some areas that are not recommended or where it is prohibited to ship because of the heritage of World War Two.” Decades-old wartime submarines and munitions litter the Baltic Sea’s floor.

SpaceKnow detected the ships that had AIS turned off using synthetic aperture radar (SAR) images from satellites. Most satellites observing Earth take photos of what’s beneath them; others, however, also use SAR to bounce radio waves off the ground and create images from them. Andrey Kurekin, a coastal ocean color scientist at the Plymouth Marine Laboratory who has analyzed satellite images for detecting objects at sea, says SAR technology can be useful for detecting ships, as it shows reflections from metal objects. “They are shown as bright objects in SAR images,” Kurekin says.

Kurekin says SAR images can be used to identify the longitude and latitude coordinates of a ship, the direction it is heading, and potentially to estimate its speed. “The main advantage of SAR over optical sensors is that the microwaves penetrate through clouds,” Kurekin says. The images are less impacted by the weather and can also provide visibility at night. “It's quite difficult to hide a ship from a SAR sensor,” Kurekin adds.

SAR images of the dark ships shared with WIRED show the vessels as glowing objects, not far from the explosion site around Nord Stream 2. “We assume it was one of those two dark ships that we have detected, but we're not making any decision,” Javornicky says. He says the company is not in the business of determining what may have happened or who is responsible but instead provided the data to authorities.

Kurekin cautions that AIS tracking systems onboard ships can, at times, fail. The signal from AIS could stop communicating with satellites or receivers on land, Kurekin says, adding that the signal can be impacted by the weather too. “If there is a vessel that you can see in SAR image but it's not reported by the AIS system, it does not necessarily mean that there's something wrong with this vessel,” Kurekin says. Signals from AIS transponders can also be manipulated—warships have had their AIS data spoofed, and ships around Russia and the Black Sea have vanished from trackers in recent years.

While there are multiple ongoing investigations into the explosions, determining the full picture of what happened may take some time. Police in Copenhagen said its initial investigations have determined that “powerful explosions” caused “extensive damage” to the pipes. Images taken from around the exploded sections of the pipe appear to show that at least 50 meters of the pipeline were destroyed in the explosions.

In an email, the Swedish security service, Säkerhetspolisen, said that due to “secrecy” around its operations, it could not discuss its investigation or whether it was looking at satellite data. However, agency spokesperson Gabriel Wernstedt says the organization is conducting a “criminal investigation of gross sabotage” around both the Nord Stream 1 and 2 pipes. “Certain seizures were made during the onsite investigations that are being analyzed,” Wernstedt says. In public statements, Säkerhetspolisen has confirmed denotations happened at the pipes and that the Swedish armed forces are involved in the investigations.

However, while the investigations are ongoing, there appear to be difficulties between the countries that are looking into the incident, which could slow the process. While Sweden says it is working with investigators in Germany and Denmark, the official leading its investigation has rejected plans to form a joint investigation.

Tabuns says he hopes that the incident will act as motivation for countries to work on better ways to share intelligence, particularly as Sweden and Finland apply to join NATO. Each country will have its own levels of classification for information and systems where it collects intelligence—these may often not be compatible, Tabuns says. However, he adds that the events should see countries look at increasing the “integration of existing national systems so that there would be real-time information sharing for any response.”

_Update 9:30 am, 11-11-22: Added statement from NATO._

‘Dark Ships’ Emerge From the Shadows of the Nord Stream Mystery

It's no secret that antivirus software is as essential to your computer as a power cord.
However, the threats don't stop at your devices. For example, criminals trying to steal your data can attack your Wi-Fi router, and phishing attempts can target your email. 
ESET's latest consumer product release takes a comprehensive approach to security to guard against a full range of threats. All are

It's no secret that antivirus software is as essential to your computer as a power cord.

However, the threats don't stop at your devices. For example, criminals trying to steal your data can attack your Wi-Fi router, and phishing attempts can target your email.

ESET's latest consumer product release takes a comprehensive approach to security to guard against a full range of threats. All are built with ESET's signature light footprint for gaming, browsing, shopping and socializing with no interruptions or slowdowns.

****Introducing enhanced security for Windows, Mac and Android****

For more than 30 years, ESET® has created industry-leading IT security software and services, protecting businesses worldwide from ever-evolving digital threats.

ESET's solutions for consumers use the same advanced technologies. By protecting your digital life, ESET delivers real-world protection against criminals trying to steal your identity, hack your bank account or lock down your computer.

As cyberthreats and hackers keep evolving, ESET's always a step ahead. Here's a look at the new product updates:

****ESET Essential Security****

**ESET NOD32 Antivirus for Windows & macOS**

As ESET's entry-level product, ESET NOD32 Antivirus is anything but basic. In addition to defending against malware and phishing attempts, this new version includes:

*   **Advanced machine learning:** Proactive technology designed to detect never-before-seen malware.
*   **DNA detection:** Uses code analysis to extract the "genes" responsible for a specific virus behavior to detect others like it.
*   **Exploit blocker:** Helps block zero-day exploits by monitoring for suspicious activity.
*   **Intel Threat Detection Technology:** Boosts ransomware protection by integrating Intel's hardware-based ransomware detection technology.

****ESET Advanced Security****

**ESET Internet Security for Windows, macOS & Android**

ESET Internet Security now offers additional layers of defense for your home network and smart devices and an updated secure browser feature.

Highlights include:

*   **Multi-platform coverage:** Secures all your devices (smartphone, laptop, smart TV, tablet, etc.) and the network they're connected to.
*   **Secure browser mode:** Encrypts all communication between the keyboard and browser for safer gaming, socializing and browsing.
*   **Brute Force Attack Protection:** Blocks attacks that attempt to guess your password and access your by feeding large volumes of previously breached passwords
*   **Banking and payment protection:** Includes a new and improved plugin that keeps personal information from being stolen while shopping, banking and paying online.
*   **Intel Threat Detection Technology:** Boosts ransomware protection by integrating Intel's hardware-based ransomware detection technology.

****ESET Premium Security****

**ESET Smart Security Premium for Windows, macOS & Android**

ESET's flagship product adds cloud sandbox analysis, a password manager and encryption for the ultimate in security.

New features include:

*   **ESET LiveGuard:** Personalized virus detection system that works with documents, scripts, installers, and executable files. Suspicious files are run in a safe, sandboxed environment before being cleared for release or deleted.

*   **Military-grade encryption software:** Designed to keep the files on your computer safe and those on any external drivers.

*   **Password management:** Generates strong encrypted passwords and stores them securely.

*   **iOS face detection:** For macOS users, integrates into the password management feature along with Google Authenticator's two-factor authentication.

_NOTE: All of ESET's consumer products include simplified security management via the ESET HOME user hub._

When technology enables progress, ESET is here to protect it. **Learn more here.**

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

ESET Antivirus: Advanced Protection Solutions for Home Users and Businesses

Microsoft on Thursday attributed the recent spate of ransomware incidents targeting transportation and logistics sectors in Ukraine and Poland to a threat cluster that shares overlaps with the Russian state-sponsored Sandworm group.
The attacks, which were disclosed by the tech giant last month, involved a strain of previously undocumented malware called Prestige and is said to have taken place

Microsoft on Thursday attributed the recent spate of ransomware incidents targeting transportation and logistics sectors in Ukraine and Poland to a threat cluster that shares overlaps with the Russian state-sponsored Sandworm group.

The attacks, which were disclosed by the tech giant last month, involved a strain of previously undocumented malware called Prestige and is said to have taken place within an hour of each other across all victims.

The Microsoft Threat Intelligence Center (MSTIC) is now tracking the threat actor under its element-themed moniker Iridium (née DEV-0960), citing overlaps with Sandworm (aka Iron Viking, TeleBots, and Voodoo Bear).

"This attribution assessment is based on forensic artifacts, as well as overlaps in victimology, tradecraft, capabilities, and infrastructure, with known Iridium activity," MSTIC said in an update.

The company also further assessed the group to have orchestrated compromise activity targeting many of the Prestige victims as far back as March 2022, before culminating in the deployment of the ransomware on October 11.

The method of initial compromise still remains unknown, although it's suspected that it involved gaining access to highly privileged credentials necessary to activate the killchain.

"The Prestige campaign may highlight a measured shift in Iridium's destructive attack calculus, signaling increased risk to organizations directly supplying or transporting humanitarian or military assistance to Ukraine," the company said.

The findings come over a month after Recorded Future linked another activity group (UAC-0113) with ties to the Sandworm actor as having singled out Ukrainian users by masquerading as telecom providers in the country to deliver backdoors onto compromised machines.

Microsoft, in its Digital Defense Report published last week, further called out Iridium for its pattern of targeting critical infrastructure and operational technology entities.

"Iridium deployed the Industroyer2 malware in a failed effort to leave millions of people in Ukraine without power," Redmond said, adding the threat actor used "phishing campaigns to gain initial access to desired accounts and networks in organizations within and outside Ukraine."

The development also arrives amid sustained ransomware attacks aimed at industrial organizations worldwide during the third quarter of 2022, with Dragos reporting 128 such incidents during the time period compared to 125 in the previous quarter.

"The LockBit ransomware family account for 33% and 35% respectively of the total ransomware incidents that target industrial organizations and infrastructures in the last two quarters, as the groups added new capabilities in their new LockBit 3.0 strain," the industrial security firm said.

Other prominent strains observed in Q3 2022 include Cl0p, MedusaLocker, Sparta, BianLian, Donuts, Onyx, REvil, and Yanluowang.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Microsoft Blames Russian Hackers for Prestige Ransomware Attacks on Ukraine and Poland

The line between criminal and political aims has become blurred, but motivations matter less than the effects of a breach.

Cybersecurity professionals have long discussed the notion that future conflicts will no longer be fought just on a physical battlefield, but in the digital space as well. Although recent conflicts show that the physical battlefield isn't going anywhere soon, we are also seeing more state-backed cyberattacks than ever before. It is therefore vital that businesses, individuals, and governments ensure they are prepared for an attack. In the digital battleground it isn't just soldiers being targeted — everyone is in the line of fire.

Broadly speaking, an act of cyberwar is any state-backed malicious online activity that targets foreign networks. However, as with most geopolitical phenomena, real-world examples of cyberwarfare are far more complex. In the murky world of state-backed cybercrime, it isn't always government intelligence agencies directly carrying out attacks. Instead, it's far more common to see attacks from organized cybercriminal organizations that have ties to a nation-state. These organizations are known as advanced persistent threat (APT) groups. The infamous APT-28, also known as Fancy Bear, that hacked the Democratic National Committee in 2016 is a great example of this type of espionage.

The loose ties between APT groups and state intelligence agencies mean the lines between international espionage and more traditional cybercrime are blurred. This makes defining whether a particular attack is an "act of cyberwarfare" difficult. As such, security analysts are often only able to hypothesize whether an attack was state backed by percentages and degrees of certainty. This, in a way, is the perfect cover for malicious state agencies that wish to target and disrupt critical infrastructure while lowering the potential for generating a geopolitical crisis or armed conflict.

**If the Enemy Is in Range, So Are You**

Regardless of whether a cyberattack is directly linked to a foreign state agency, attacks on critical infrastructure can have devastating consequences. Critical infrastructure does not just refer to state-owned and operated infrastructure such as power grids and government organizations; banks, large corporations, and ISPs all fall under the umbrella of critical infrastructure targets.

For example, a targeted "hack, pump, and dump" scheme, where multiple personal online trading portfolios are compromised in order to manipulate share prices, could be undertaken by a state-backed group to damage savings and retirement funds in another nation, with potentially catastrophic consequences for the economy.

As governments and private organizations continue to adopt smart and connected IT networks, the risks and potential consequences will continue to grow. Recent research by the University of Michigan found significant security flaws in local traffic light systems. From a single access point, the research team was able to take control of over 100 traffic signals. Although the flaw in this system has subsequently been patched, this highlights the importance of robust, up-to-date inbuilt security systems to protect infrastructure from cyberattacks.

**Defend Now or Be Conquered Later**

With larger and more complex networks, the chance that vulnerabilities can be exploited increases exponentially. If organizations are to stand any chance against a sophisticated state-backed attack, every single endpoint on the network must be continually monitored and secured.

Some have already learned this lesson the hard way. In 2017, US food giant Mondelez was denied a $100 million insurance pay-out after suffering a Russian ATP cyberattack because the attack was deemed to be "an act of war" and not covered under the firm's cybersecurity insurance policy. (The conglomerate and Zurich Insurance recently settled their dispute on undisclosed terms.)

Endpoint security has never been more critical than today. The use of personal mobile devices as a work tool has become pervasive across almost every single industry. Scarily, this rise in bring-your-own-devices policy has in part been driven by the false assumption that mobile devices are inherently more secure than desktops.

However, several governments and ATP groups with well-established cyber capabilities have adapted to and exploited the mobile threat landscape for over 10 years with dangerously low detection rates. Attacks on government and civilian mobile networks have the potential to take down large portions of a workforce, grinding productivity to a halt and disrupting everything from government decision-making to the economy.

In today's threat landscape, cyberattacks aren't just a potential risk but are to be expected. Thankfully, the solution to minimize the damage is relatively straightforward: Trust no-one and secure everything.

IT and security managers may not be able to prevent a cyberattack or a cyberwar; however, they can defend themselves against the worst outcomes. If a device is connected to the infrastructure, whether physically or virtually, it is a potential back door for threat actors to access data and disrupt operations. So, if organizations want to avoid being caught in the crossfire of cyberwarfare, endpoint security must be the first priority in all operations, from mobile to desktop.

Cyberwar and Cybercrime Go Hand in Hand

Improper input validation in the firmware for some Intel(R) Server Board M10JNP Family before version 7.216 may allow a privileged user to potentially enable an escalation of privilege via local access.

**Select Your Region**

Sign In to access restricted content

**Using Intel.com Search**

You can easily search the entire Intel.com site in several ways.

*   Brand Name: **Core i9**
*   Document Number: **123456**
*   Code Name: **Alder Lake**
*   Special Operators: **“Ice Lake”, Ice AND Lake, Ice OR Lake, Ice\***

**Quick Links**

You can also try the quick links below to see results for most popular searches.

*   Product Information
*   Support
*   Drivers & Software

**Recent Searches**

Sign In to access restricted content

**Advanced Search**

**Only search in**

Title Description Content ID

Sign in to access restricted content.

The browser version you are using is not recommended for this site.  
Please consider upgrading to the latest version of your browser by clicking one of the following links.

*   Safari
*   Chrome
*   Edge
*   Firefox

**Intel® Server Boards and Server Systems Advisory**

Intel ID:

INTEL-SA-00708

Advisory Category:

Firmware

Impact of vulnerability:

Escalation of Privilege, Denial of Service

Severity rating:

HIGH

Original release:

11/08/2022

Last revised:

11/08/2022

**Summary: **

Potential security vulnerabilities in some Intel® Server Boards and Server Systems may allow escalation of privilege or denial of service.  Intel is releasing firmware updates to mitigate these potential vulnerabilities

**Vulnerability Details:**

CVEID: CVE-2022-30542

Description: Improper input validation in the firmware for some Intel(R) Server Board S2600WF, Intel(R) Server System R1000WF and Intel(R) Server System R2000WF families before version R02.01.0014 may allow a privileged user to potentially enable an escalation of privilege via local access.

CVSS Base Score: 8.2 High

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CVEID: CVE-2021-0185

Description: Improper input validation in the firmware for some Intel(R) Server Board M10JNP Family before version 7.216 may allow a privileged user to potentially enable an escalation of privilege via local access.

CVSS Base Score: 7.5 High

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CVEID: CVE-2022-25917

Description: Uncaught exception in the firmware for some Intel(R) Server Board M50CYP Family before version R01.01.0005 may allow a privileged user to potentially enable a denial of service via local access.

CVSS Base Score: 6.0 Medium

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H

**Affected Products:**

*   Intel® Server Board S2600WF Family.
*   Intel® Server Board M50CYP Family.
*   Intel® Server Board M10JNP Family.
*   Intel® Server System R1000WF Family.
*   Intel® Server System R2000WF Family.

**Recommendations:**

Intel recommends updating the firmware for the affected Intel® Server Boards and Server Systems to the latest version:

Intel(R) Server System R1000WF, R200WF and Intel(R) Server Board S2600WF Family updates are available here.

Intel(R) Server Board M50CYP Family updates are available here.

Intel(R) Server Board M10JNP Family updates are available here.

**Acknowledgements:**

The following issues were found internally by Intel employees; CVE-2022-30542 and CVE-2022-25917. Intel would like to thank Jorge E. Gonzalez Diaz.

Intel would like to thank Dmitry Frolov (CVE-2021-0185) for reporting this issue.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.

**Revision History**

Revision

Date

Description

1.0

11/08/2022

Initial Release

**Legal Notices and Disclaimers**

Intel provides these materials as-is, with no express or implied warranties.

All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.

Intel products and services described may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Intel products that have met their End of Servicing Updates may no longer receive functional and security updates. For additional details on support and servicing, please see this help article. 

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at http://intel.com.

Some results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance.

Intel and the Intel logo are trademarks of Intel Corporation or its subsidiaries in the United States and other countries.

\*Other names and brands may be claimed as the property of others.  

Copyright © Intel Corporation 2022

**Report a Vulnerability**

If you have information about a security issue or vulnerability with an **Intel branded product or technology**, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

Please provide as much information as possible, including:

*   The products and versions affected
*   Detailed description of the vulnerability
*   Information on known exploits

A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

*   Vulnerability handling guidelines

For issues related to Intel's external web presence (Intel.com and related subdomains), please contact Intel's External Security Research team.

**Need product support?**

If you...

*   Have questions about the security features of an Intel product
*   Require technical support
*   Want product updates or patches

  
Please visit Support & Downloads.

*   Report a Vulnerability
*   Product Support

CVE-2021-0185: INTEL-SA-00708

Welcome to this week’s edition of the Threat Source newsletter.
Tuesday was an absolute hammer for the infosec community. Not only did we have the US elections but we had Emotet returning and a regular Microsoft Tuesday release. That release always leads me to think about the bug

Thursday, November 10, 2022 16:11

Welcome to this week’s edition of the Threat Source newsletter.

Tuesday was an absolute hammer for the infosec community. Not only did we have the US elections but we had Emotet returning and a regular Microsoft Tuesday release. That release always leads me to think about the bug hunting ecosystem and the importance and value of vulnerability research. I admit that the phrase bug hunting ecosystem does lead you to think of the magical days in school. A tv rolled in the classroom on the big AV cart to show a documentary - the salad days. We were masters of our domain. Enough oldguy rambling, vulnerability research is absolutely vital to the security of the internet. Researchers dig into software and operating systems, identifying vulnerabilities in order to discover them before malicious threat actors do. A discovered and responsibly disclosed vulnerability can nullify possibly disastrous public exploitation before the attackers ever get their campaigns off the ground. It may also be before the threat actors have found the vulnerability at all. Ensuring that the vendor can create patches or remediation before attackers can leverage the vulnerability in the wild is a massive win for defenders, but it's often not discussed widely. So this is me saying "thank you so much" to those researchers that are undertaking the arduous process of identifying vulnerabilities and coordinating disclosure with the vendors

**The one big thing**

Emotet is back. Did it ever truly go away? Emotet has been disrupted by law enforcement only to return over and over again. Tracking Emotet as it evolved from banking trojan to modular botnet has been interesting. To me it’s not unlike the Whac-A-Mole adventure that was Talos v. Angler as they developed and implemented new techniques to not only exploit end users but attempt to avoid detection.

**Why do I care?**

Emotet has been very successful for a very long time and it’s likely that if you are reading this you are already aware of Emotet and may have had to deal with them firsthand. History shows us that they aren’t going away so being aware of the active research from Talos is vital in attempting to stay secure.

**So now what?**

Same as it ever was. Ensure that end users are educated as much as possible but understand that they will click the link. You need to verify that all security devices are up to date with the latest coverage releases, and that you follow the Talos blog where you will always find IOCs in clear text or appended via the Talos GitHub. Make sure you have implemented a strong patch management keeping systems up to date, as well as performing general system hardening that includes removing services or protocols that are unnecessary.

**Top security headlines from the week**

More than two dozen Lenovo notebook models are vulnerable to exploitation that disables the UEFI secure-boot process. Once exploited unsigned UEFI apps or load bootloaders can be run that permanently backdoor the device. Researchers from ESET disclosed the vulnerabilities as Lenovo released security updates for 25 vulnerable models. Vulnerabilities that undermine the UEFI secure boot make it possible for attackers to install malicious firmware that survives multiple operating system re-installations and avoids detection. (Ars Technica)

Zimperium zLabs recently identified a malicious extension that lets attackers control Google Chrome remotely. Cloud9, a malicious browser extension, is not only capable of stealing the information from a browser session, it can also install malware on a user’s device and subsequently assume control of the entire device, effectively a remote access trojan (RAT) for the Chromium web browser (Google Chrome and Microsoft Edge for example). The extension was not available on the official Chrome store but instead delivered via websites pushing fake Adobe Flash Player updates. (Bleepingcomputer)

**Can’t get enough Talos?**

*   Emotet coming in hot
*   Threat Spotlight: Cyber Criminal Adoption of IPFS for Phishing, Malware Campaigns
*   Microsoft Patch Tuesday for November 2022 — Snort rules and prominent vulnerabilities
*   The Company You Keep – Preparing for supply chain attacks with Talos IR

**Upcoming events where you can find Talos**

BSides Lisbon (Nov. 10 - 11)  
Cidade Universitária, Lisboa, Portugal

SIS(Security Intelligence Summit), 2022.ON (Nov. 29)  
Josun Palace, Seoul

CactusCon (Jan 27-28)  
Mesa, AZ

**Most prevalent malware files from Talos telemetry over the past week**

SHA 256:  
9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
MD5: 2915b3f8b703eb744fc54c81f4a9c67f  
Typical Filename: VID001.exe  
Detection Name: Simple\_Custom\_Detection

SHA25  
1077bff9128cc44f98379e81bd1641e5fbaa81fc9f095b89c10e4d1d2c89274d  
MD5: 26f927fb7560c11e509f0b8a7e787f79  
Typical Filename: Iris QuickLinks.exe  
Detection Name: W32.DFC.MalParent

SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
MD5: 7bdbd180c081fa63ca94f9c22c457376  
Typical Filename: IMG001.exe  
Detection Name: Simple\_Custom\_Detection

SHA 256:  
e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
MD5: 93fefc3e88ffb78abb36365fa5cf857c  
Typical Filename: Wextract  
Claimed Product: Internet Explorer  
Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

Threat Source newsletter (Nov. 10, 2022): Vulnerability research, movies in class, and Emotet once again

Questions about the Kremlin’s relationships with these groups remain. But researchers are finally getting some answers.

Russia-based ransomware gangs are some of the most prolific and aggressive, in part thanks to an apparent safe harbor the Russian government extends to them. The Kremlin doesn't cooperate with international ransomware investigations and typically declines to prosecute cybercriminals operating in the country so long as they don't attack domestic targets. A long-standing question, though, is whether these financially motivated hackers ever receive directives from the Russian government and to what extent the gangs are connected to the Kremlin's offensive hacking. The answer is starting to become clearer.

New research presented at the Cyberwarcon security conference in Arlington, Virginia, today looks at the frequency and targeting of ransomware attacks against organizations based in the United States, Canada, the United Kingdom, Germany, Italy, and France in the lead-up to these countries' national elections. The findings suggest a loose but visible alignment between Russian government priorities and activities and ransomware attacks leading up to elections in the six countries.

The project analyzed a data set of over 4,000 ransomware attacks perpetrated against victims in 102 countries between May 2019 and May 2022. Led by Karen Nershi, a researcher at the Stanford Internet Observatory and the Center for International Security and Cooperation, the analysis showed a statistically significant increase in ransomware attacks from Russia-based gangs against organizations in the six victim countries ahead of their national elections. These nations suffered the most total ransomware attacks per year in the data set, about three-quarters of all the attacks.

“We used the data to compare the timing of attacks for groups we think are based out of Russia and groups based everywhere else,” Nershi told WIRED ahead of her talk. “Our model looked at the number of attacks on any given day, and what we find is this interesting relationship where for these Russia-based groups, we see an increase in the number of attacks starting four months before an election and moving three, two, one month in, up to the event.”

The data set was culled from the dark-web sites that ransomware gangs maintain to name and shame victims and pressure them to pay up. Nershi and fellow researcher Shelby Grossman, a scholar at the Stanford Internet Observatory, focused on popular so-called “double extortion” attacks in which hackers breach a target network and exfiltrate data before planting ransomware to encrypt systems. Then the attackers demand a ransom not only for the decryption key but to keep the stolen data secret instead of selling it. The researchers may not have captured data from every single double-extortion actor out there, and attackers may not post about all of their targets, but Nershi says the data collection was thorough and that the groups typically have an interest in publicizing their attacks.

The findings showed broadly that non-Russian ransomware gangs didn't have a statistically significant increase in attacks in the lead-up to elections. Whereas two months out from a national election, for example, the researchers found that organizations in the six top victim countries were at a 41 percent greater chance of having a ransomware attack from a Russia-based gang on a given day, compared to the baseline. 

The increase wasn't visible in every sector, though. Russia-based ransomware gangs did seem to target government organizations and infrastructure at a slightly elevated rate two months out from a country's national election, but Nershi says the total number of attacks on government entities in the data set was small to begin with. The analysis didn't find a statistically significant increase in the number of attacks against organizations in the communications, finance, energy, and utility sectors leading up to elections. But because of the overall increase in attacks across all types of organizations, the researchers theorize that there may be a spillover effect that the Russian government's general increase of cyber activity in the lead-up to an election in one of the six countries indirectly fuels ransomware attacks.

“We are theorizing that there seems to be some level of loose ties between these ransomware groups based in Russia and the Russian government,” Nershi said, "In that they are criminal organizations, they’re in it for profit, but it seems like occasionally the Russian government will ask them for favors, and they’ll agree to operate on this sort of ad hoc basis."

The research aligns with other recent analyses and information, including details from a massive trove of chat logs leaked earlier this year that showed how the notorious Conti ransomware group operates. The data indicated that Conti members very likely have connections within Russia's FSB intelligence agency and knowledge of Russian military hacking operations, painting a picture of loose and ad hoc cooperation. 

“What the groups get out of it is generally not being prosecuted. And for the Russian government, it can allow them to outsource to some degree certain tasks in a way that gives them plausible deniability,” Nershi says. "As I perceive it, it's a strange, nebulous, ambiguous relationship."

Russia’s Sway Over Criminal Ransomware Gangs Is Coming Into Focus

Five practical steps to up-level attack surface management programs and gain greater visibility and risk mitigation around the extended ecosystem.

Modern IT environments are purposefully designed to be dynamic, evolving organically through things such as cloud computing, Internet of Things (IoT) devices, and, for many organizations, through mergers and acquisitions and supply chain business relationships. While enabling greater business efficiency and effectiveness, often infrastructure and data are added ad hoc without looping in the IT team or adhering to organizational security policies. The result is unmanaged or unknown infrastructure within the technology ecosystem, which introduces hidden risk.

Most security teams will acknowledge a lack of visibility in this dynamic environment. Whether it's credentialed access or missing agents, it's common to have a gap in visibility. However, unknown unknowns present an even more significant visibility challenge in most organizations.

**What Is an Unknown-Unknown Asset?**

Let's start by defining what we mean by unknown unknowns, or assets of which the security and IT teams have no awareness. Unknown unknowns can be introduced in a multitude of ways. For example, well-meaning developers with the ability to provision cloud resources on a personal credit card can spin up new database instances.

Consider capable contractors who can spin up their own infrastructure but forget to limit access to the code on GitHub. Or the business partners (third- and Nth-party suppliers) that are not accounted for in the extended enterprise ecosystem. Mergers are another common way that "unknown unknowns" are introduced — when the often outdated list of IT infrastructure doesn't meet the current reality of the infrastructure state.

With supply chain compromise on the rise and increasing organizational sprawl, how can organizations manage and mitigate risk from unknown unknowns?

**Closing Attack Surface Visibility Gaps**

To solve for unknown unknowns, security teams need to establish mechanisms and processes to maintain an up-to-date inventory of all _known_ assets associated with their organization and the vulnerabilities that can be used by threat actors as entry points into the network. The more known about the organization, the more information to perform active and continuous search for unknowns, and even fewer unknown unknowns.

Below are five practical steps to closing visibility gaps:

1.  **Enumerate and continuously monitor the asset inventory:** Create a process and workflow for continuous asset discovery that delivers a comprehensive inventory. Assets include internal and external resources, cloud resources, employees, and the supply chain. Externally accessible assets are often targeted by threat actors for initial access (MITRE T1190) by exploiting known vulnerabilities. In situations where a zero-day is disclosed, the security team can leverage the inventory to answer these questions: "Do we have that technology in our ecosystem and, if so, where?" and "Are we running the vulnerable version of the technology?"
2.  **Determine ownership of assets:** Attribution plays a big role in providing relevant information to the security team. Receiving a list of assets that may or may not be owned by your organization will slow down the team as they triage false positives (out-of-scope assets). At the onset of asset discovery efforts, the inventory should be audited to determine what is directly managed vs. shared security model (where the management of the asset is outsourced to a provider – such as a cloud service or SaaS provider). Management becomes easier over time as a security team establishes the baseline understanding of asset ownership.
3.  **Enrich assets with intelligence to identify and prioritize critical and high-severity issues**: The faster vulnerabilities are identified, the faster the security team can respond. Indicators of compromise (IoCs) and Dark Web monitoring can inform a security team of malicious activity involving the brand or an asset. Analysis based on incident response and adversary research can help defenders respond and prioritize appropriately based on how a vulnerability is being leveraged and the impact of exploitation. Recommended sources include NIST National Vulnerability Database (NVD), CISA's Known Exploited Vulnerability catalog, and intelligence feeds from the private sector.
4.  **Remediate and harden at scale****:** Prioritizing remediation and hardening efforts on the entry points that present the most risk to the organization is crucial to mitigation strategies. Critical and high-severity security findings should be investigated and remediated immediately. Over the medium and long term, the security team needs to be aware of and monitor for lower severity vulnerabilities that are often overlooked but can be used in tandem with easier-to-exploit vulnerabilities. Assign responsibility to the lower-priority items and set expectations for quarterly reporting on progress.
5.  **Regularly review assets for unknown unknowns — and integrate your findings into steps 1–4**: Information is only valuable if it's used. As more data is collected about an organization's attack surface, the information needs to be distributed to the appropriate teams within the organization and incorporated into the operational workflows across the security operations center (SOC) or intelligence organization. For example, the SOC team can leverage the latest information about potentially compromised devices to take specific threat-hunting actions and then implement mitigation strategies.

Managing and mitigating risk from known threats is challenging enough for already over-stretched security teams. By following the steps above, organizations can uplevel their attack surface management programs and gain greater visibility into potential risk within their extended ecosystem as well.

**About the Author**

    

Jonathan Cran is head of engineering, Mandiant Advantage Attack Surface Management, at Mandiant and was the founder and CEO of Intrigue prior to its acquisition by Mandiant in 2021. An experienced entrepreneur and builder, he's passionate about delivering high-quality outcomes and data-driven solutions, particularly when they require significant technical leadership. He is constantly striving to understand customers' challenges and deliver elegant solutions. His background includes hands-on experience as a security practitioner and leadership roles at companies such as Kenna Security, Bugcrowd, and Rapid7.

Managing and Mitigating Risk From Unknown Unknowns

KmsdBot takes advantage of SSH connections with weak login credentials to mine currency and deplete network resources, as it gains a foothold on enterprise systems.

A just-discovered evasive malware takes advantage of a key Internet-facing protocol to gain entry onto enterprise systems to mine cryptocurrency, launch distributed denial-of-service (DDoS) attacks, and gain a foothold on corporate networks, researchers have found.  

Dubbed KmsdBot by researchers at Akamai Security Research, the botnet infects systems via a Secure Shell Protocol (SSH) connection with weak login credentials, according to a report published Thursday. SSH is a remote administration protocol that allows users to access, control, and modify their remote servers over the Internet.

The botnet poses the most risk for enterprises that have deployed cloud infrastructure, or corporate networks that are exposed to the Internet, says Larry Cashdollar, principal security intelligence response engineer at Akamai.

“Once this malware is running on your system, it essentially has a toehold into your network," he tells Dark Reading. "It has functionality to update and spread itself, so it's possible it can burrow itself deeper into your network and surrounding systems.”

The researchers observed KmsdBot — which is written in Golang as an evasive measure — targeting an "erratic" range of victims, including gaming and technology companies as well as luxury car manufacturers, Cashdollar wrote in a Nov. 10 report. Golang is a programming language that's attractive to threat actors because it's difficult for researchers to reverse engineer.

Moreover, once it infects a system, the botnet does not maintain persistence, allowing it further to evade detection. "It’s not often we see these types of botnets actively attacking and spreading, especially ones written in Golang," Cashdollar wrote.

**Attack on Gaming Company**

The researchers detected KmsdBot when it dangled an unusually open honeypot in the hopes of luring attackers. The first victim of the new malware they observed was an Akamai client — a gaming company called FiveM that allows people to host custom private servers for Grand Theft Auto online, they said.

In the attack, threat actors opened a user datagram protocol (UDP) socket and built a packet using a FiveM session token. UDP is a communication protocol used across the Internet for time-sensitive transmissions, such as video playback or DNS look-ups.

"This will cause the server to believe a user is starting a new session and waste additional resources besides network bandwidth," Cashdollar wrote.

The researchers also observed a range of other attacks by the bot that were less specifically targeted, they said. They included generic Layer 4 TCP/UDP packets with random data as a payload, or Layer 7 HTTP consisting of GET and POST requests to either the root path or a specified path set in the attack command, he said.

And while the bot does have cryptomining capability, researchers did not observe this particular aspect of its functionality — only the DDoS activity, Cashdollar added.

In general, KmsdBot has a wide attack surface, supporting multiple architectures including Winx86, Arm64, mips64, and x86\_64, researchers said. It uses TCP to communicate with its command-and-control infrastructure.

**Avoiding and Mitigating Bot Attacks**

Despite the danger it poses to enterprises, they can avoid falling victim to the botnet by using common network security best practices that they really should be implementing anyway, Cashdollar says.

"The best way to prevent getting infected is to either use key-based authentication and disable password logins, or make sure you're using strong passwords," he tells Dark Reading.

Indeed, password compromise — whether it's by using stolen credentials or cracking a company's weak protections — remains one of the top ways threat actors access enterprise systems.

Beyond strong passwords, security experts recommend multifactor authentication, as well as more advanced solutions to solve this persistent issue. However, it's advice that remains unheeded by users in many corporate settings, leaving networks exposed to threats such as KmsdBot. 

Other easy steps organizations can take to protect themselves, according to Cashdollar, include keeping deployed applications up to date with the latest security patches, as well as checking in on them from time to time to ensure they remain secure.

Evasive KmsdBot Cryptominer/DDoS Bot Targets Gaming, Enterprises

Security researchers see updated tactics and tools—and a tempo change—in the cyberattacks Russia’s GRU military intelligence agency is inflicting on Ukraine.

Since Russia launched its catastrophic full-scale invasion of Ukraine in February, the cyberwar that it has long waged against its neighbor has entered a new era too—one in which Russia has at times seemed to be trying to determine the role of its hacking operations in the midst of a brutal, physical ground war. Now, according to the findings of a team of cybersecurity analysts and first responders, at least one Russian intelligence agency seems to have settled into a new set of cyberwarfare tactics: ones that allow for quicker intrusions, often breaching the same target multiple times within just months, and sometimes even maintaining stealthy access to Ukrainian networks while destroying as many as possible of the computers within them.

At the CyberwarCon security conference in Arlington, Virginia, today, analysts from the security firm Mandiant laid out a new set of tools and techniques that they say Russia’s GRU military intelligence agency is using against targets in Ukraine, where the GRU’s hackers have for years carried out many of the most aggressive and destructive cyberattacks in history. According to Mandiant analysts Gabby Roncone and John Wolfram, who say their findings are based on months of Mandiant’s Ukrainian incident response cases, the GRU has shifted in particular to what they call “living on the edge.” Instead of the phishing attacks that GRU hackers typically used in the past to steal victims’ credentials or plant backdoors on unwitting users’ computers inside target organizations, they're now targeting “edge” devices like firewalls, routers, and email servers, often exploiting vulnerabilities in those machines that give them more immediate access.

That shift, according to Roncone and Wolfram, has offered multiple advantages to the GRU. It's allowed the Russian military hackers to have far faster, more immediate effects, sometimes penetrating a target network, spreading their access to other machines on the network, and deploying data-destroying wiper malware just weeks later, compared to months in earlier operations. In some cases, it's enabled the hackers to penetrate the same small group of Ukrainian targets multiple times in quick succession for both wiper attacks and cyberespionage. And because the edge devices that give the GRU their footholds inside these networks aren't necessarily wiped in the agency's cyberattacks, hacking them has sometimes allowed the GRU to keep their access to a victim network even after carrying out a data-destroying operation.

"Strategically, the GRU needs to balance disruptive events and espionage," Roncone told WIRED ahead of her and Wolfram's CyberwarCon talk. "They want to continue imposing pain in every single domain, but they are also a military intelligence apparatus and have to keep collecting more real-time intelligence. So they've started 'living on the edge' of target networks to have this constant ready-made access and enable these fast-paced operations, both for disruption and spying."

In a timeline included in their presentation, Roncone and Wolfram point to no fewer than 19 destructive cyberattacks Russia has carried out in Ukraine since the beginning of this year, with targets across the country's energy, media, telecom, and finance industries, as well as government agencies. But within that sustained cyberwarfare barrage, the Mandiant analysts point to four distinct examples of intrusions where they say the GRU's focus on hacking edge devices enabled its new tempo and tactics.

In one instance, they say, GRU hackers exploited the vulnerability in Microsoft Exchange servers known as ProxyShell to get a foothold on a target network in January, then hit that organization with a wiper just the next month, at the start of the war. In another case, the GRU intruders gained access by compromising an organization's firewall in April of 2021. When the war began in February, the hackers used that access to launch a wiper attack on the victim network's machines—and then maintained access through the firewall that allowed them to launch _another_ wiper attack on the organization just a month later. In June 2021, Mandiant observed the GRU return to an organization it had already hit with a wiper attack in February, exploiting stolen credentials to log into its Zimbra mail server and regain access, apparently for espionage. And in a fourth case, last spring, the hackers targeted an organization's routers through a technique known as GRE tunneling that allowed them to create a stealthy backdoor into its network—just months after hitting that network with wiper malware at the start of the war.

Separately, Microsoft’s Threat Intelligence Center, known as MSTIC, revealed today yet another example of the GRU launching repeated cyberattacks on the same Ukrainian targets. According to MSTIC, the hacker group it calls Iridium, more widely known as the GRU hacking unit Sandworm, was responsible for Prestige ransomware attacks that hit transportation and logistics targets in Ukraine and Poland from March to October of this year. MSTIC notes that many of the victims of that ransomware had earlier been hit with the wiper tool HermeticWiper just before Russia’s February invasion—another piece of data-destroying malware linked to the GRU.

The GRU, Roncone and Wolfram point out, have certainly targeted "edge" devices before this new phase of the agency cyberwar in Ukraine. In 2018, the agency's hackers infected more than half a million routers worldwide with malware known as VPNFilter, and they similarly attempted to create a botnet of hacked firewall devices that was discovered just ahead of Russia's Ukraine invasion in February.

But the Mandiant analysts argue that only now are they seeing that hacking of edge devices used to accelerate the agency's pace of operations and to achieve persistence inside networks that lets the GRU pull off repeated intrusions against the same victims. That's meant that instead of having to choose between stealthy cyberespionage and disruptive cyberattacks that destroy the very systems they're spying on, the agency has been able to "have their cake and eat it too," as Roncone puts it.

Ukraine's own cybersecurity agency, known as the State Services for Special Communications and Information Protection, or SSSCIP, agrees with Mandiant's conclusion that Russia has quickened its pace of cyber-operations since the start of the war in February, according to Viktor Zhora, a senior SSSCIP official. He confirms that the GRU, in particular, has come to favor targeting edge devices while other Russian intelligence agencies, such as the FSB, continue to use phishing emails as a common tactic. But he argues that the examples of repeated wiping of the same organization in quick succession, or a wiping attack followed by an espionage operation against the same target, remain relatively rare.

Instead, Zhora contends that the GRU's switch to a faster operating rhythm shows how the agency's hackers are racing—struggling, even—to keep up with the speed of physical war.

“Operating in a covert mode over the last eight years, having unlimited financial resources, widely available human resources, gave them a lot of opportunities. They used that time to test, to probe and develop new technologies. Now, they’ve needed to increase the density of their attacks, and they require much more resources," says Zhora. "They still try to carry out their expected role, to be Russia's most active and destructive agency. But with sanctions, with the intellectual flow out of Russia, with difficulties in human resources and infrastructure, their operational limits are significantly greater. But we can see in the tactics they use that they're still seeking new opportunities for intelligence and wiping options."

At times, Roncone and Wolfram say, GRU hackers do seem to be struggling to keep up with the new pace they've set. In one case, they saw the hackers backdoor an email server but set up their command-and-control server incorrectly, so that they failed to control it. In another case, they sent the wrong commands to a wiper tool, so that it failed to wipe the systems it had infected. "It's just the tempo and probably a bit of human error and burnout that leads to these sort of 'oopsies,'" says Roncone.

Another shift in the GRU's hacking to "quick and dirty" methods can be seen in the specific wiper malware that it uses, according to Roncone and Wolfram. Since May, Mandiant has observed GRU hackers deploying the relatively simple, targeted wiper malware known as CaddyWiper in nine different operations targeting Ukrainian organizations—five attacks in May and June, then another four last month.

The decision to make that small, straightforward wiper code its sabotage payload of choice represents a stark contrast with years past. In 2017 and 2018, the GRU group Sandworm unleashed complex destructive worms inside of target networks that took months to hone and deploy: automated, self-replicating, multi-featured code such as the Olympic Destroyer malware designed to cripple the Pyeongchang Winter Olympics and the NotPetya malware that hit Ukrainian networks and spread worldwide, causing an unprecedented $10 billion in damage.

In the early days of Russia's invasion, for reasons that aren't quite clear, Kremlin hackers targeting Ukraine appear to have used a grab bag of at least half a dozen wiping tools of varying quality inside of victim networks, such as HermeticWiper, WhisperGate, and AcidRain. But in more recent months, the GRU appears to have deployed mainly CaddyWiper, again and again, Mandiant found, though in modified forms, changed just enough to evade detection. (Ukraine's SSSCIP, for its part, declined to confirm whether it has seen the same nine CaddyWiper attacks Mandiant had tracked.

"It's like they've said, ‘We're not gonna build out a fancy multifaceted wiper like NotPetya that can worm on its own. What we need is just something that's really lightweight and easily modifiable and easily deployable,'" says Roncone. "So they're using this not-that-great, does-the-job wiper, which seems like part of shifting their entire tactical strategy to accommodate these fast-paced operations." And while those quick-and-dirty methods may not be as flashy or as innovative as the GRU cyberattacks of the past, they can nonetheless inflict serious digital chaos in a country that needs every resource it has to fend off Russia's invaders.

_Update 12:10 pm EST 11-10-22: Added MSTIC's attribution of the Prestige ransomware attacks on Ukraine and Poland to the GRU's Sandworm group._

Tag

#intel