At a glance.
The Nerbian RAT is out.
Proofpoint describes, in a report issued this morning, describes a new, OS-agnostic RAT written in the increasingly popular Go language. The researchers call it "Nerbian," and say that it "leverages multiple anti-analysis components spread across several stages, including multiple open-source libraries."
NPM dependencies exploited, but to what end?
Reversing Labs yesterday blogged about an NPM dependency confusion that's been exploited recently in attacks against large German firms. "New npm packages discovered last week by ReversingLabs appear to target a major German media conglomerate as well as a major rail and logistics operator. The packages are similar to those discovered by researchers at the firm Snyk and disclosed in late April." It's unclear who was behind the attacks, what their objectives were, or even how successful they were, but it seems clear that NPM attacks are more widespread than hitherto believed. jFrog, which has also been tracking the incidents, seesa similar ambiguity, and thinks the attacks could be the work of either a sophisticated threat actor or an unusually aggressive penetration tester.
Advisories from CISA and its partners.
The US Cybersecurity and Infrastructure Security Agency (CISA) yesterday released six industrial control system (ICS) security advisories. The advisories include Adminer in Industrial Products, Eaton Intelligent Power Protector, Eaton Intelligent Power Manager Infrastructure, Eaton Intelligent Power Manager, AVEVA InTouch Access Anywhere and Plant SCADA Access Anywhere, and Mitsubishi Electric MELSOFT GT OPC UA.
CISA has also added two vulnerabilities to its Known Exploited Vulnerabilities Catalog: the Microsoft Windows LSA Spoofing Vulnerability (which "contains a spoofing vulnerability where an attacker can coerce the domain controller to authenticate to the attacker using NTLM") and F5's BIG-IP Missing Authentication Vulnerability (which "contains a missing authentication in critical function vulnerability which can allow for remote code execution, creation or deletion of files, or disabling services"). US Federal civilian agencies have until June 1st to address the former, until May 31st to address the latter. The SANS Institute has published a more detailed study of the BIG-IP issue, which F5 addressed in an update last week.
And, concerned about a growing threat to managed service providers (MSPs), the Five Eyes have issued a joint Alert with advice to MSPs and their customers on preventing and responding to cyberattacks staged against and through MSPs.
The following section pertains directly to the cyber phases of Russia's hybrid war against Ukraine. CyberWire's continuing coverage of the unfolding crisis in Ukraine may be found here.
More attribution of the Viasat cyberattack to Russia.
We saw yesterday that the European Union had formally attributed the cyberattack against Viasat's KA-SAT network, which took place an hour before combat operations began against Ukraine, to Russia. Other allied governments were quick to second that attribution.
The US Department of State said, after drawing attention to Russian use of wiper malware in its cyber prep, "Today, in support of the European Union and other partners, the United States is sharing publicly its assessment that Russia launched cyber attacks in late February against commercial satellite communications networks to disrupt Ukrainian command and control during the invasion, and those actions had spillover impacts into other European countries. The activity disabled very small aperture terminals in Ukraine and across Europe. This includes tens of thousands of terminals outside of Ukraine that, among other things, support wind turbines and provide Internet services to private citizens."
The US Cybersecurity and Infrastructure Security Agency (CISA) updated their March 17th Alert (AA22-076A) "Strengthening Cybersecurity of SATCOM Network Providers and Customers," to explain that the threat to SATCOM networks they warned about was indeed a Russian threat.
The attribution offered by Britain's NCSC is more specific: it calls out "Russian military intelligence, the GRU, as the organization responsible for the cyberattacks. Estonia is equally specific: "[I]t can be stated with high certainty that the GRU was behind these attacks." The British Government also sees, as the Telegraph explains, the cyberattacks against the German wind turbine sector as a side benefit of the prep fire directed against Ukraine's Internet. Both the British Foreign Minister and the US Secretary of State emphasized this indiscriminate aspect of the Russian cyberattack.
Canada, in a joint statement by the Ministers of Foreign Affairs, National Defence, and Public Safety, condemned the Russian attack. “Canada assesses that the Russian military was behind this incident. Russia’s illegal invasion of Ukraine, its malicious cyber activity, and its egregious disinformation campaigns are unacceptable and must stop." The ministers added a brief history lesson to put the attack in the context of what the US State Department called "the Russian playbook": “This most recent incident underlines a pattern of disruptive cyber activity that demonstrates a repeated disregard for the rules-based international order. This activity also demonstrates the willingness of Russia to use its cyber capabilities irresponsibly."
Australia's Ministers of Foreign Affairs, Defence, and Home Affairs concentrated on Russia's use of cyberattacks as battlespace preparation: "Today we join the US and the EU in attributing to the Russian government the following activity.... These unacceptable activities are further examples of Moscow’s indiscriminate approach to cyber operations and blatant disregard for the effects of such operations on the public, including through the commercial sector." And the statement adds a pointed reminder to Moscow: "Australia is committed to imposing costs on state-based or state-sponsored malicious actors who seek to undermine an open, free, safe and secure cyberspace."
That further attacks must be considered at least possible, perhaps probable, is a conclusion to be drawn from MIT Technology Review's coverage of the cyberattack on Viasat terminals. The Russians used the AcidRain wiper against the systems, and AcidRain is striking in its general purpose adaptability. Technology Review quotes SentinelOne researcher Andres Guerrero-Saade, who says, “What’s massively concerning about AcidRaid is that they’ve taken all the safety checks off. With previous wipers, the Russians were careful to only execute on specific devices. Now those safety checks are gone, and they are brute-forcing. They have a capability they can reuse. The question is, what supply-chain attack will we see next?”