News Bytes#41: Kaspersky source code leaked… or was it? Anonymous continues attacks against the Russian government
Post Credit: Austin Miller
Another busy week! The threat landscape has changed so much over the last week that it’s difficult to keep up. Breaches that aren’t breaches, leaks of data we already had, and a variety of ransomware attacks mean that the world of cybersecurity is changing more than ever and we all need to be shields up!
Kaspersky source code leaked… or was it?
Russian-based antivirus provided Kaspersky reportedly suffered a breach that meant the entire source code for the software was leaked earlier this week. Although people were keen to explore the code and confirm suspicions that Kaspersky had been working with the Russian government on a large-scale data harvesting program, there are only two conclusions to be drawn at the moment:
- There is no evidence that has been a leak at all, evidenced by numerous big names in cybersecurity – including @campuscodi and @SosIntel – finding no documents relating to the Kaspersky source code.
- There is no evidence that Kaspersky is working on covert data harvesting for any government. Although Kaspersky does work with the Kremlin, their relationship seems to be no more incriminating than the US government working with their security providers.
The only data that has been found from this supposed leak is a crawler dump of the Kaspersky Labs pages, something that was already publicly available. If you’re a Kaspersky subscriber, there is no reason to expect that the antivirus company has been compromised.
Anonymous continues attacks against the Russian government
After the initial influx of DDoS attacks from hackers working under the Anonymous name, it seems that they have upgraded their tactics, techniques, and procedures this week. While the internet was referring to Anonymous as skiddies, it seems that they have launched a successful attack against the Bashkortostan oblast and leaked 340,000 files onto the internet.
Although a majority of these files were already leaked in previous attacks, there is definitely escalation in the tools and tactics that Anonymous is using. As Anonymous is literally anyone wants to hide their identity from the wider world, there have been some voices on the internet assuming that professional security analysts and nation state security professionals are now contributing to the cause.
Cyber warfare spreads far and wide
We always knew it was happening, but now countries all over the world are pointing fingers at the possibility of large scale, nation state attackers. Not only are we seeing this from nations involved in the Ukrainian-Russian conflict, but we are also seeing accusations thrown against the US government.
The Chinese government has criticized the NSA for continued cyberattacks against Chinese infrastructure and reportedly more than 45 other countries. The NSA has been referred to as APT-C-40 and has reportedly played a part in the creation and distribution of the backdoor program UnitedRake, the QUANTUM attack system, and fake server FOXCID.
Although this is still unconfirmed, accusations of long-term cyber warfare are becoming more public and the potential for retaliation on both sides is growing.
Chinese APT attacks the US
A reportedly Chinese-backed advanced persistent threat (APT, identified as APT41) exploited a known Log4Shell vulnerability in USAHerds, an animal-herding application. Using a SQL-injection to work around the weak defenses in the app, it is suspected that the 18 states which use it to monitor animal health emergency reporting are at risk of breaches.
In addition to the Log4j exploit, the adversary seems to have also exploited CVE-2021-44207 in order to access state-level servers and access confidential data. If you are currently working in a sector which has contact with the Animal Health Emergency Reporting Diagnostic System, rolling out updates for the Log4Shell exploit and Windows Exchange Server weaknesses as well as defenses against ProxyShell attacks is the number one priority.
RagnarLocker targets the US
In an unrelated attack, 52 American entities – of which 10 were critical infrastructures – have been affected by the RagnarLocker ransomware. Although we do not know the source of the attack yet, RagnarLocker use Windows API GetLocaleInfoW to identify if the system is in a CIS-aligned country (including Ukrainian systems).
As many US government entities were targeted and infected, it makes a threat landscape even more precarious right now. Although this type of ransomware was identified as early as late 2019, there is no definitive way to stop it infecting your system. All information related to RagnarLocker – including ransom notes, demands, and infection timelines – should be provided to the FBI or the appropriate government agency in your country.
Some good news…
1Password has increased its bug bountry rewards to $1,000,000 – there may be some very happy security researchers in the near future!