Satellite comms networks on alert after US govt warning

In Brief US federal agencies have warned of possible threats to American and international satellite communication (SATCOM) networks that could affect customers.

In a joint security alert, the US Cybersecurity and Infrastructure Security Agency (CISA) and FBI "strongly encourage" critical infrastructure operators, along with SATCOM network providers and customers, to put in place a series of mitigation steps to shore up their networks.

These include:

• Implementing additional monitoring for anomalous traffic at ingress and egress points to SATCOM equipment.
• Monitoring network logs for suspicious activity and unauthorized or unusual login attempts.
• Using strong passwords and other methods of authentication including multi-factor authentication.
• Enforcing least-privilege access via authorization policies.
• Reviewing existing trust relationships with IT service providers.
• Implementing independent encryption across all communications links leased from or provided by SATCOM providers.
• Creating and practicing a cyber-incident response plan.

"Given the current geopolitical situation, CISA's Shields Up initiative requests that all organizations significantly lower their threshold for reporting and sharing indications of malicious cyber activity," the agency warned.

The alert follows a cyberattack against satellite communications provider Viasat that began on the day Russia invaded Ukraine, a move that apparently knocked out tens of thousands of KA-SAT SATCOM terminals in Europe. Viasat's KA-SAT bird provides connectivity to the UK, continental Europe, western Russia, and Turkey. Viasat is also a US and UK military contractor.

Stop the noise

Security teams (still) suffer from alert fatigue with the financial sector being hit the hardest, according to a new Orca Security report.

The cloud security vendor conducted a global survey of 813 IT decision makers across five countries (US, UK, France, Germany, and Australia) and 10 industries, and found 59 percent of respondents receive more than 500 public cloud security alerts every day. 

It's even worse for security teams at financial institutions: 71 percent of these respondents see more than 500 such alerts on a daily basis, 85 percent have more than 500 public cloud alerts open, and 63 percent say they spend more than 20 percent of their time each day reviewing and prioritizing alerts.

Orca also found siloed security tools make the problem even worse. It cited 87 percent of respondents that use five or more public cloud security tools. The biggest culprits here are networking scanning tools (84 percent) and cloud platform native security tools (82 percent).

Another interesting snippet: the incongruity between respondents' confidence in and satisfaction with their security tools versus how well they say these products actually perform.

Almost all (95 percent) report they are confident or very confident in the tools' accuracy, while 43 percent say more than 40 percent of their security alerts turn out to be false positives. And 97 percent say they are satisfied or very satisfied with their cloud security products' ability to prioritize risk. But almost half (49 percent) say that more than 40 percent of alerts are low priority.

More Conti leak analysis, please

Show of hands: who else is losing sleep because they can't stop scrolling for more Conti leak analyses?

Check Point Research, in its latest analysis of the Russian-backed ransomware gang, produced a particularly useful report to illustrate how communications between members and affiliates work. It lets viewers drag a user node to see the various team members' connections and the amount of messages they send to other members in the criminal operation.

The security shop also discussed the recruitment sites that the Conti HR department uses: Russian-speaking headhunting services such as headhunter.ru and superjobs.ru, although Check Point noted that Conti had less success with the latter. 

"You might wonder 'why does headhunter.ru offer such a service?', and the answer is, they don't," the threat researchers wrote. "Conti simply bought the software, which provides access to the 'borrowed' CV pool without permission, which seems to be standard practice in the cybercrime world."

Meanwhile, security monitoring firm Arctic Wolf says it used the Conti leaks combined with its own dark web monitoring and ransomware response data to quantify Conti victims by geographic location. Most (52 percent) have headquarters in the US, followed by Germany (9 percent), and the UK (8 percent). 

• Viasat, Rosneft hit by cyberattacks as Ukraine war spills online
• Dunno about you, but we're seeing an 800% increase in cyberattacks, says one MSP
• Analysis of leaked Conti files blows lid off ransomware gang
• Exotic Lily is a business-like access broker for ransomware gangs

Not to be left out, Russian-speaking cybersecurity researchers at Forescout have also been pouring over the Conti leaks and this week published a 14-page report [PDF].

"One of the Conti files roughly translated to the "hacker's quickstart guide," according to the security firm's analysis.

As the name suggests, the file provides recommendations for attacking networks and gaining persistence. Forescout summarizes the three main points:

• IoT devices are a major initial attack surface.
• RDP is recommended as an "initial backdoor."
• Active Directory/Domain Controllers are often the primary target before achieving persistence.

"Active Directory servers are most convenient for exploitation: often, typical misconfigurations can be found, there are plenty of vulnerabilities (such as Zerologon) and common resources enabled by default (e.g. default network shares)," the report said. "In particular, such common resources not only help regular employees to do their day-to-day job, but also make the job of the attackers significantly easier."

Log4j still a pain point

Almost a third (30 percent) of Log4j instances remain vulnerable to exploit, according to Qualys's latest research.

The security vendor also released a new, open-source Log4j scanning tool in addition to free access to its platform for 30 days.

It's been three months since the vulnerability, affecting Apache's popular Java-based logging tool, was disclosed on December 9. A mere 72 hours later, cyber criminals had launched almost a million attack attempts.

The security provider says its endpoint detection and response product detected 22,000 potential attacks per week "at the height of the crisis."

Overall, the bug was detected in more than 2,800 web apps, according to Qualys, and most (more than 80 percent) were Linux-based.

Some 68,000 vulns were found in cloud workloads and containers across the US, Europe, the Middle East, and Africa. And more than half of the apps with Log4j were flagged "end-of-support," meaning that software providers won't provide security patches.

(Gh0st)Cringe-worthy RAT

Researchers from ​​AhnLab detailed a remote access trojan (RAT) dubbed Gh0stCringe that infects Microsoft SQL and MySQL, especially "poorly managed DB servers with vulnerable account credentials," according to the Korean security shop's blog.

Gh0stCringe, aka CirenegRAT, is based on the code of Gh0st RAT.

As Malwarebytes Labs noted: "The Gh0st RAT source code was publicly released, so we've seen quite a lot of malware based on this code." 

The original Gh0st RAT uses a signature string called "Gh0st" to communicate with the command-and-control server. 

After establishing communications, the newer Gh0stCringe RAT can perform any number of evil deeds including connecting to specific URLs without the user knowing, keylogging, stealing information, downloading additional payloads, and destroying data. ®