The geopolitics surrounding the invasion of Ukraine are outside the scope of this column, but the cybersecurity ramifications are certainly fitting fodder. The challenge here is that almost everything of note that has happened in the last week has been initially linked to the conflict, but in several cases, the reported link hasn’t withstood scrutiny. We do know that the Vice Prime Minister of Ukraine put out a call on Twitter for “cyber specialists” to go after a list of Russian businesses and state agencies. Many of the sites on the list did go down for some time, the digital equivalent of tearing down a poster. In response, the largest Russian ISP stopped announcing BGP routes to some of the targeted sites, effectively ending any attacks against them from the outside.
A smattering of similar events have unfolded over the last week, like electric car charging stations in Russia refusing to charge, and displaying a political message, “GLORY TO UKRAINE”. Not all the attacks have been so trivial. Researchers at Eset have identified HermeticWiper, a bit of malware with no other purpose but to destroy data. It has been found on hundreds of high-value targets, likely causing much damage. It is likely the same malware that Microsoft has dubbed FoxBlade, and published details about their response.
In very related news, the Conti ransomware gang announced that they would retaliate against Western cyberattacks against Russia or Russian-speaking regions. Their statement is reproduced in full here.
As a response to Western warmongering and American threats to use cyber warfare against the citizens of the Russian Federation, the Conti Team is officially announcing that we will use our full capacity to deliver retaliatory measures in case the Western warmongers attempt to target critical infrastructure in Russia or any Russian-speaking region of the world. We do not ally with any government and we condemn the ongoing war. However, since the West is known to wage its wars primarily by targeting civilians, we will use our resources in order to strike back if the well being and safety of peaceful citizens will be at stake due to American cyber aggression.
This has naturally attracted some strong criticism, most interestingly from the twitter account, @ContiLeaks. Just as the name suggests, this account is publishing internal chat logs between Conti members. There are two prevailing theories. The first is that these leaks are by a former member of Conti, a Ukranian, who takes great offense at their stated support of Russia. The other theory is reported by [KrebsOnSecurity], that this is a Ukranian security researcher, but not one that has previous affiliation with Conti. This leads to plenty of questions, like how the logs were accessed. Either way, we get quite an interesting look into the Conti infrastructure.
The Conti ransomware leaks have unveiled Conti's primary Bitcoin address.
From April 21st, 2017 – February 28th, 2022 Conti has received 65,498.197 BTC
That is 2,707,466,220.29 USD. pic.twitter.com/sUdRnkLsoo
— vx-underground (@vxunderground) February 28, 2022
A part inside look is the primary Bitcoin address used by Conti. In total, there have been 65.5 thousand bitcoins moved through that address. The current market value of that is an astounding 2.7 Billion US dollars. For further information and analysis, Krebs has been doing good work pores through the logs looking for nuggets.
And now to things that were initially thought to be related to Ukraine, but have turned out not to be. Nvidia had a major breach, and the actors responsible claim to have about a terabyte of proprietary data. This group, [Lapsus$] has made a pair of interesting demands.
The first is to unhobble cryptocurrency mining on Nvidia cards. In an attempt to keep video cards in stock so gamers can purchase them, Nvidia has opted to artificially slow their performance in mining Bitcoin and other currencies. The second demand, announced a few days later, is that Nvidia should completely open-source their GPU drivers. This demand, by the way, is essentially impossible. There is a web of patents, NDAs, and third party code tied up in a proprietary driver as complex as a GPU driver, and much of it is out of Nvidia’s hands. For reference, when AMD decided to create an open source Linux driver for their GPUs, the solution was to re-write the entire driver from scratch.
On the other hand, the given deadline is Friday — the day this column publishes. If the attackers have the trove of data they claim, and actually release it all, it will be quite the blow to Nvidia. Quite humorously, there is a believable claim that Nvidia employees took advantage of the VPN used to exfiltrate data, and installed a ransomware client on the attacker’s machine. There’s some delicious irony in computer criminals being so outraged at getting hacked.
You Messed Up. What Now?
If you haven’t been here yet, just wait. We all mess up eventually, and leave a service exposed, or reuse a password that’s been compromised, or install a sketchy Docker image. My biggest blunder of this sort was accidentally forwarding port 22 from the outside world to a test machine, with a really simple root password. Yikes! When you realize there’s a problem, what next?
The folks at Sysdig wanted to address this. They simulated a mistake, leaving the Docker API world-accessible, and scored a malicious docker image someone helpfully installed for them. A
docker save serves to back up the image for analysis, backing it up as a .tar file.
binwalk -e -M does a recursive extraction of the contents of the suspect .tar, resulting in a root filesystem among other information. Combining this with
docker inspect to find the startup command, you can begin to get an idea of what the image does. In this case, it leads to a binary in the image.
The first step in unknown binary analysis is
strings, a very useful utility that spits out the ASCII strings found in a binary file. Here, it’s enough to reveal the game, as the binary runs a series of shell commands that runs
xmrig, a Monero miner. Given that these researchers are employed by Sysdig, they show some nifty tricks using the
sysdig command as well, like running a filter to see what other files in the image the malware was accessing. It seems that it scours the Apache logs looking for IP addresses, and then looks for open Docker APIs on those hosts, too. This gives an important clue, as to what kind of lateral movement was likely done. If this were a real scenario, any other system running Docker would have to be suspect as well.
Bits and Bytes
Remember the world before Let’s Encrypt? HTTPS certs either cost money or were a pain to get if free. If you were a corporation, then Extended Validation was the holy grail. It cost an arm and a leg, but you get the green Extended Validation badge in the web browser’s URL. The world is a different place now, and while you can technically still purchase an EV certificate, no major browser shows the EV badge any longer. This doesn’t stop certificate authorities from trying to sell EV certs, even if they have to use outdated information and imagery to do so. The lengths that Digicert went to struck [Troy Hunt] as borderline dishonest, and he’s published an epic disassembly of the entire idea of EV certificates, and Digicert’s misleading marketing about them.
Ah, the Metaverse — Web 3.0, the Next Big Thing. Take NFTs, put them in virtual spaces, and invite the VR goggled to play in the shared sandbox. This time, we’ll make it perfectly secure, too, right? Of course not. Guardio Security brings a report about the same old tricks being used to compromise wallets managed by the MetaMask browser extension. The trick? Perfectly recreating the expected login screen, then buying ads on search engines pointing to the fake page. To the unwary, or just someone in a hurry, it’s quite difficult to tell that it’s a fake. Even the newest of ideas can fall to the oldest of tricks.
The TeaBot trojan has learned a new trick. This remote access trojan was first discovered last year, spreading through SMS spam. It’s now being snuck onto phones through legitimate-seeming apps on the Google Play store. The trick is that a dropper application will install, and then immediately ask for permission to install an app with the same name. This second app is the malicious one, but because of the name re-use it looks enough like a basic permissions request to sneak through. The dropper discussed by the article had over 10,000 downloads, and was well reviewed. It’s likely a repackage of an open source app, just with a nasty surprise.