Windows TCO Tales

posted by Roy Schestowitz on Apr 18, 2024,
updated Apr 18, 2024

• The Record ☛ NY governor says cyberattack on legislative office is holding up state budget

  “We have to go back to the more antiquated system we had in place from 1994. You know this happened very, very early in the morning and so we’ve been on top of this. Our understanding right now is that it will take a little bit longer to deal with the legislative side of it because a lot of data is included in the computers,” she said.

  “We’re finding the path forward using the 1994 computers we have that we still have access to.”

• Silicon Angle ☛ Researchers warn updated Cerber ransomware is targeting critical Confluence vulnerability

  Cerber ransomware has been around since 2016. The last time SiliconANGLE wrote about it was in 2017, but through the years Cerber has always been around, if sporadically and not always gaining attention.

  The new Cerber campaign is targeting CVE-2023-22518, a severe vulnerability in Confluence revealed last year that allows an unauthenticated attacker to reset Confluence and create a Confluence instance administrator account. Using a compromised account, an attacker can perform all administrative actions available to a Confluence instance administration, including total loss of confidentiality, integrity and availability.

• The Record ☛ Malicious cyber activity spiking in Philippines, analysts say

  Resecurity noted that many of the attacks, including those conducted by hacktivists, could be a "pre-staging for broader malicious, foreign cyber-threat actor activity in the region," including cyber espionage and targeted attacks against government agencies and critical infrastructure.

  "Considering the Philippines' strategic significance in the Indo-Pacific, foreign actors interested in destabilizing civil society may support such activity," researchers said.

• The Record ☛ Russia-linked backdoor targets Eastern European networks

  Cybersecurity researchers have detailed the operation of little-known Russian backdoor malware that has been used in attacks against victims in Eastern Europe since at least mid-2022.

  The malware, labeled Kapeka, is likely linked to the hacker group Sandworm, operated by the Russian military intelligence service (GRU), according to Finnish cybersecurity company WithSecure.

  The company said in a report shared with Recorded Future News that the backdoor is likely an update to Sandworm’s arsenal for use in espionage campaigns and sabotage operations. Code like Kapeka is built to give hackers network access to deploy other malware.

  The researchers also discovered overlaps between Kapeka and Sandworm’s other malicious tools.

• [Repeat] Wired ☛ [Crackers] Linked to Russia’s Military Claim Credit for Sabotaging US Water Utilities

  Since the beginning of this year, a hacktivist group known as the Cyber Army of Russia, or sometimes Cyber Army of Russia Reborn, has taken credit on at least three occasions for hacking operations that targeted US and European water and hydroelectric utilities. In each case, the [crackers] have posted videos to the social media platform Telegram that show screen recordings of their chaotic manipulation of so-called human-machine interfaces, software that controls physical equipment inside those target networks. The apparent victims of that hacking include multiple US water utilities in Texas, one Polish wastewater treatment plant, and a French hydroelectric plant—though it’s not clear exactly how much disruption or damage the [crackers] may have managed against any of those facilities.

• Google ☛ Unearthing APT44: Russia’s Notorious Cyber Sabotage Unit Sandworm | Google Cloud Blog

  However, as the war has endured, APT44’s relative focus has transitioned away from disruption to intelligence collection. The group’s targets and methods have shifted significantly in the second year of the war, with increasing emphasis placed on espionage activity intended to provide battlefield advantage to Russia’s conventional forces. For example, one long-running APT44 campaign has assisted forward-deployed Russian ground forces to exfiltrate communications from captured mobile devices in order to collect and process relevant targeting data. APT44’s approach to supporting Russia’s military campaign has evolved considerably over the past two years.

• [Repeat] SANS ☛ Malicious PDF File Used As Delivery Mechanism

  Billions of PDF files are exchanged daily and many people trust them because they think the file is "read-only" and contains just "a bunch of data". In the past, badly crafted PDF files could trigger nasty vulnerabilities in PDF viewers. All of them were affected at least once, especially Acrobat or FoxIt readers. A PDF file can also be pretty "dynamic" and embed JavaScript scripts, auto-open action to trigger the execution of a script (for example PowerShell on Windows, etc), or any other type of embedded data.

• The Record ☛ Atlantic fisheries body confirms cyber incident after 8Base ransomware gang claims breach

  The Atlantic States Marine Fisheries Commission (ASMFC) — an 80-year-old organization created by Congress and made up of officials from the Atlantic coast states — said this week that its email system is down.

  The organization was forced to create a temporary email address and provide a phone number people can use to contact the information.

• The Record ☛ Food and agriculture sector hit with more than 160 ransomware attacks last year

  Thus far in the first quarter of 2024, the sector has counted 40 attacks, a slight decrease on the year before.

  Multiple large food companies dealt with cyber incidents in 2023, including Dole, Sysco and Mondelez. The U.S. Department of Agriculture (USDA) told Recorded Future News last year that it was affected by a ransomware group’s exploitation of a popular file transfer tool, exposing troves of industry information.

  Jonathan Braley, director of the Food and Ag-ISAC — which was formed in 2022 following a run of attacks on the industry that directly affected food pricing — told Recorded Future News that the sector is in the middle of the pack compared to other critical infrastructure sectors affected by ransomware.

  Ransomware gangs are going after low-hanging fruit and organizations with discoverable or exploitable security lapses, he said. Braley noted that there was a 54% increase in ransomware attacks across sectors in January, year-on-year. The law enforcement takedowns of LockBit and BlackCat are having a noticeable effect, he said, with steep decreases seen in both February and March.

• Scoop News Group ☛ Ex-White House cyber official says ransomware payment ban is a ways off

  A ransomware payment ban remains “the North Star” for U.S. cybersecurity experts looking to curtail hacking groups’ leverage over companies, but “real steps” remain before the country can get to that point, a former White House cyber official said Tuesday.

• [Repeat] Scoop News Group ☛ Congress rails against UnitedHealth Group after ransomware attack

  Since the Feb. 21 ransomware attack — arguably the most consequential cyberattack on critical infrastructure since the Colonial Pipeline attack three years ago — UnitedHealth Group has been under scrutiny for both its acquisition of Change Healthcare as well as what members consider to be its poor response to the incident. The Department of Health and Human Services announced an investigation into whether the payment processor and its parent company were in compliance with federal health data privacy laws.

• Wired ☛ Change Healthcare’s New Ransomware Nightmare Goes From Bad to Worse

  The sprawling theft and sale of sensitive health care data represents a dramatic new form of fallout from the February cyberattack on Change Healthcare that crippled the company’s claims-payment operations and sent the US health care system into crisis as hospitals struggled to stay open without regular funding.

• Futurism ☛ You Know How Microsoft Keeps Pestering You to Upgrade to Windows 11? Now It's Officially Putting Ads in Its Start Menu

  But here's a good reason why you shouldn't. On Friday, Microsoft announced that it will now start testing ads in the form of "recommendations" in the Windows 11 Start Menu, in what is yet another attempt by the company to integrate advertising into its operating systems.

  The ads won't be rolled out to most users, at least initially. Instead, the feature will be tested on Windows 11 Insiders that opt into the US Beta Channel, Microsoft said in a blog post.

Update

3 more:

• Decade-old malware haunts Ukrainian police

  A virus dating to 2015 is still hitting targets in Ukraine, showing its enduring power.  

• Kapeka: A New Backdoor in Sandworm’s Arsenal of Aggression

  Kapeka is a new backdoor that may be a new addition to Russia-link Sandworm’s malware arsenal and possibly a successor to GreyEnergy.

• Recent OT and Espionage Attacks Linked to Russia’s Sandworm, Now Named APT44

  Mandiant summarizes some of the latest operations of Russia’s notorious Sandworm group, which it now tracks as APT44.