Satellite comms networks on alert after US govt warning

Plus: Security teams burning out, more Conti leaks analysis, and Log4j still plagues enterprises


In Brief US federal agencies have warned of possible threats to American and international satellite communication (SATCOM) networks that could affect customers.

In a joint security alert, the US Cybersecurity and Infrastructure Security Agency (CISA) and FBI "strongly encourage" critical infrastructure operators, along with SATCOM network providers and customers, to put in place a series of mitigation steps to shore up their networks.

These include:

  • Implementing additional monitoring for anomalous traffic at ingress and egress points to SATCOM equipment.
  • Monitoring network logs for suspicious activity and unauthorized or unusual login attempts.
  • Using strong passwords and other methods of authentication including multi-factor authentication.
  • Enforcing least-privilege access via authorization policies.
  • Reviewing existing trust relationships with IT service providers.
  • Implementing independent encryption across all communications links leased from or provided by SATCOM providers.
  • Creating and practicing a cyber-incident response plan.

"Given the current geopolitical situation, CISA's Shields Up initiative requests that all organizations significantly lower their threshold for reporting and sharing indications of malicious cyber activity," the agency warned.

The alert follows a cyberattack against satellite communications provider Viasat that began on the day Russia invaded Ukraine, a move that apparently knocked out tens of thousands of KA-SAT SATCOM terminals in Europe. Viasat's KA-SAT bird provides connectivity to the UK, continental Europe, western Russia, and Turkey. Viasat is also a US and UK military contractor.

A security breach at online CRM and marketing outfit HubSpot has had a knock-on effect, leading to the leak of some customer information from no more than 30 HubSpot clients, including BlockFi, Swan Bitcoin, NYDIG, and Circle. It appears the intrusion was targeted at cryptocurrency biz.

According to HubSpot, "a bad actor compromised a HubSpot employee account" to get at the contact info people used to sign up to services.

Stop the noise

Security teams (still) suffer from alert fatigue with the financial sector being hit the hardest, according to a new Orca Security report.

The cloud security vendor conducted a global survey of 813 IT decision makers across five countries (US, UK, France, Germany, and Australia) and 10 industries, and found 59 percent of respondents receive more than 500 public cloud security alerts every day. 

It's even worse for security teams at financial institutions: 71 percent of these respondents see more than 500 such alerts on a daily basis, 85 percent have more than 500 public cloud alerts open, and 63 percent say they spend more than 20 percent of their time each day reviewing and prioritizing alerts.

Orca also found siloed security tools make the problem even worse. It cited 87 percent of respondents that use five or more public cloud security tools. The biggest culprits here are networking scanning tools (84 percent) and cloud platform native security tools (82 percent).

Another interesting snippet: the incongruity between respondents' confidence in and satisfaction with their security tools versus how well they say these products actually perform.

Almost all (95 percent) report they are confident or very confident in the tools' accuracy, while 43 percent say more than 40 percent of their security alerts turn out to be false positives. And 97 percent say they are satisfied or very satisfied with their cloud security products' ability to prioritize risk. But almost half (49 percent) say that more than 40 percent of alerts are low priority.

More Conti leak analysis, please

Show of hands: who else is losing sleep because they can't stop scrolling for more Conti leak analyses?

Check Point Research, in its latest analysis of the Russian-backed ransomware gang, produced a particularly useful report to illustrate how communications between members and affiliates work. It lets viewers drag a user node to see the various team members' connections and the amount of messages they send to other members in the criminal operation.

The security shop also discussed the recruitment sites that the Conti HR department uses: Russian-speaking headhunting services such as headhunter.ru and superjobs.ru, although Check Point noted that Conti had less success with the latter. 

"You might wonder 'why does headhunter.ru offer such a service?', and the answer is, they don't," the threat researchers wrote. "Conti simply bought the software, which provides access to the 'borrowed' CV pool without permission, which seems to be standard practice in the cybercrime world."

Meanwhile, security monitoring firm Arctic Wolf says it used the Conti leaks combined with its own dark web monitoring and ransomware response data to quantify Conti victims by geographic location. Most (52 percent) have headquarters in the US, followed by Germany (9 percent), and the UK (8 percent). 

Not to be left out, Russian-speaking cybersecurity researchers at Forescout have also been pouring over the Conti leaks and this week published a 14-page report [PDF].

"One of the Conti files roughly translated to the "hacker's quickstart guide," according to the security firm's analysis.

As the name suggests, the file provides recommendations for attacking networks and gaining persistence. Forescout summarizes the three main points:

  • IoT devices are a major initial attack surface.
  • RDP is recommended as an "initial backdoor."
  • Active Directory/Domain Controllers are often the primary target before achieving persistence.

"Active Directory servers are most convenient for exploitation: often, typical misconfigurations can be found, there are plenty of vulnerabilities (such as Zerologon) and common resources enabled by default (e.g. default network shares)," the report said. "In particular, such common resources not only help regular employees to do their day-to-day job, but also make the job of the attackers significantly easier."

Log4j still a pain point

Almost a third (30 percent) of Log4j instances remain vulnerable to exploit, according to Qualys's latest research.

The security vendor also released a new, open-source Log4j scanning tool in addition to free access to its platform for 30 days.

It's been three months since the vulnerability, affecting Apache's popular Java-based logging tool, was disclosed on December 9. A mere 72 hours later, cyber criminals had launched almost a million attack attempts.

The security provider says its endpoint detection and response product detected 22,000 potential attacks per week "at the height of the crisis."

Overall, the bug was detected in more than 2,800 web apps, according to Qualys, and most (more than 80 percent) were Linux-based.

Some 68,000 vulns were found in cloud workloads and containers across the US, Europe, the Middle East, and Africa. And more than half of the apps with Log4j were flagged "end-of-support," meaning that software providers won't provide security patches.

(Gh0st)Cringe-worthy RAT

Researchers from ​​AhnLab detailed a remote access trojan (RAT) dubbed Gh0stCringe that infects Microsoft SQL and MySQL, especially "poorly managed DB servers with vulnerable account credentials," according to the Korean security shop's blog.

Gh0stCringe, aka CirenegRAT, is based on the code of Gh0st RAT.

As Malwarebytes Labs noted: "The Gh0st RAT source code was publicly released, so we've seen quite a lot of malware based on this code." 

The original Gh0st RAT uses a signature string called "Gh0st" to communicate with the command-and-control server. 

After establishing communications, the newer Gh0stCringe RAT can perform any number of evil deeds including connecting to specific URLs without the user knowing, keylogging, stealing information, downloading additional payloads, and destroying data. ®


Other stories you might like

  • DuckDuckGo tries to explain why its browsers won't block some Microsoft web trackers
    Meanwhile, Tails 5.0 users told to stop what they're doing over Firefox flaw

    DuckDuckGo promises privacy to users of its Android, iOS browsers, and macOS browsers – yet it allows certain data to flow from third-party websites to Microsoft-owned services.

    Security researcher Zach Edwards recently conducted an audit of DuckDuckGo's mobile browsers and found that, contrary to expectations, they do not block Meta's Workplace domain, for example, from sending information to Microsoft's Bing and LinkedIn domains.

    Specifically, DuckDuckGo's software didn't stop Microsoft's trackers on the Workplace page from blabbing information about the user to Bing and LinkedIn for tailored advertising purposes. Other trackers, such as Google's, are blocked.

    Continue reading
  • Despite 'key' partnership with AWS, Meta taps up Microsoft Azure for AI work
    Someone got Zuck'd

    Meta’s AI business unit set up shop in Microsoft Azure this week and announced a strategic partnership it says will advance PyTorch development on the public cloud.

    The deal [PDF] will see Mark Zuckerberg’s umbrella company deploy machine-learning workloads on thousands of Nvidia GPUs running in Azure. While a win for Microsoft, the partnership calls in to question just how strong Meta’s commitment to Amazon Web Services (AWS) really is.

    Back in those long-gone days of December, Meta named AWS as its “key long-term strategic cloud provider." As part of that, Meta promised that if it bought any companies that used AWS, it would continue to support their use of Amazon's cloud, rather than force them off into its own private datacenters. The pact also included a vow to expand Meta’s consumption of Amazon’s cloud-based compute, storage, database, and security services.

    Continue reading
  • Atos pushes out HPC cloud services based on Nimbix tech
    Moore's Law got you down? Throw everything at the problem! Quantum, AI, cloud...

    IT services biz Atos has introduced a suite of cloud-based high-performance computing (HPC) services, based around technology gained from its purchase of cloud provider Nimbix last year.

    The Nimbix Supercomputing Suite is described by Atos as a set of flexible and secure HPC solutions available as a service. It includes access to HPC, AI, and quantum computing resources, according to the services company.

    In addition to the existing Nimbix HPC products, the updated portfolio includes a new federated supercomputing-as-a-service platform and a dedicated bare-metal service based on Atos BullSequana supercomputer hardware.

    Continue reading

Biting the hand that feeds IT © 1998–2022