Cyber Security Today, Feb. 16, 2024 – US takes down Russian botnet of routers

U.S. takes down Russian botnet of routers.

Welcome to Cyber Security Today. It’s Friday, February 16th, 2024. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.

American authorities have neutralized a botnet of hundreds of compromised small and home office routers that Russia’s military cyber unit used for attacks. This threat actor is called different names by cybersecurity researchers such as APT28, Fancy Bear and Forrest Blizzard. The compromised devices were Ubiquiti Edge routers whose owners didn’t change the default administrator passwords. The Justice Department said it got court permission to command the malware controlling the devices to delete stolen and malicious files on the routers. Remote management access was also disabled to give the router owners time to mitigate the compromise and reassert full control. However, if owners and administrators don’t change the default password on their Ubiquiti Edge routers they’ll be open to compromise even after a factory reset of the devices. That, of course, is true for any internet-connected device.

This was the second time in two months the U.S. has disrupted state-sponsored hackers launching cyber attacks from compromised American routers.

Also on Thursday the U.S. offered a US$10 million reward for information leading to the identification or location of leaders of the AlphV/BlackCat ransomware operation. Up to US$5 million is also available for information leading to the arrest or conviction of anyone participating in a ransomware attack using this variant. In December the U.S. and several countries said they are going after this gang. As part of that operation a decryptor for this strain of ransomware was released for victims to use. This week the AlphV gang listed Canada’s Trans-Northern Pipleline as one of its victims. The company said the attack happened last November.

ESET has issued patches for several of its server, business and consumer security products for Windows. These include ESET File Security for Microsoft Azure, ESET Security for SharePoint Server, Mail Security for IBM Domino and for Exchange Server and consumer products such as NOD32 Antivirus and Internet Security.

South Korean researchers have unlocked the Rhysida ransomware. Thanks to their efforts the country’s security agency has issued a ransomware recovery tool — with instructions available in English. However, as security reporter Graham Cluley notes, now that the way the code was cracked is out the creators will likely close the hole.

The developer of the Kryptina ransomware-as-a-service operation for crippling Linux systems has changed their strategy. The code now is being given away. Researchers at SentinelOne say the developer had a ransomware rental service for only two months. This month they published the entire source code on a forum for crooks. The developer says it’s because there were no customers. The availability of free ransomware code is an opportunity crooks can take advantage of.

Mandiant released an analysis of recent cyber activity in the Middle East. Among the findings: Hamas-linked cyber groups were active with phishing attacks against several countries in the region before the October 7th killings in Israel. But since that attack there has been no significant online activity from these groups. However, recently one Hamas-linked group has launched social engineering campaigns showing advances in their cyber capabilities to deliver custom malware to high-value targets in Israel. Iranian groups since the October 7 attacks have been trying to undercut support for the war in Israel with hack-and-leak cyber attacks. Meanwhile Iran believes a cyber attack that disrupted service to gas stations came from Israel.

Finally, almost every manufacturer wants to add wireless connectivity to their product. But if it can be hacked that’s bad news — for buyers and the company’s reputation. Here’s an example: This week news emerged from TechCrunch that the maker of smart ski and bike helmets called Livall had to fix a security flaw. The problem allowed real-time location tracking of anyone wearing its helmets. The helmets get wireless connectivity through an app on the smartphones that users carry. The problem was a six-digit group code in the app could easily be brute-forced.

Later this afternoon my Week in Review podcast will be out. This week guest commentator David Shipley and I will discuss new cyber incident and data breach reporting obligations for American telecom companies; the progress of Canada’s proposed cybersecurity law and more.

Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to to your Flash Briefing on your smart speaker.