Cyber Security Headlines: Ukraine cyber chief Black Hat visit, Lockheed Martin breach?, $25 Starlink hack

Ukraine’s cyber chief makes surprise visit to Black Hat

Ukraine’s lead cybersecurity official, Victor Zhora, made an unannounced visit to Black Hat in Las Vegas last week, where he painted a bleak picture of the state of cyberwarfare in the country’s conflict with Russia. Zhora noted that cyber incidents in Ukraine have tripled since February, when Russia invaded. Zhora cited DDoS attacks that took many of Ukraine’s government agencies offline as well as the discovery of Industroyer2 malware, the apparent successor to Industroyer which enabled takeover of electrical substation software, power blackouts, and equipment damage. Additionally, six significant new strains of data-wiping malware have been identified this year. Zhora underscored the significance and severity of Russia’s cyber operations against Ukraine, stating, “This is perhaps the biggest challenge since World War Two for the world, and it continues to be completely new in cyberspace.”

(The Register)

Killnet claims to have hacked Lockheed Martin

The Moscow Times has reported that the Pro-Russia Killnet group is claiming responsibility for a recent cyberattack on aerospace and defense giant Lockheed Martin. Killnet posted a video on Telegram, claiming to have stolen the personal information of Lockheed Martin employees, including names, email addresses, phone numbers, and pictures. Killnet also shared messages in Russian, stating, “If you have nothing to do, you can email Lockheed Martin Terrorists – photos and videos of the consequences of their manufactured weapons! Let them realize what they create and what they contribute to.” Lockheed Martin is aware of Killnet’s claims, but has yet to comment on them.

(Security Affairs)

Starlink successfully hacked using $25 modchip

Belgian researcher Lennert Wouters revealed at Black Hat how he successfully hacked SpaceX’s Starlink satellite-based internet system. Wouters created a custom board (modchip) using a Raspberry Pi microcontroller, flash storage, electronic switches and a voltage regulator which he then attached to a Starlink dish. Using his $25 rig, Wouters leveraged a voltage fault injection attack to gain root access on a Starlink User Terminal (UT) which enabled execution of arbitrary code on the Starlink network. Because the glitch exists on the ROM bootloader that’s burned onto the system chip, an update cannot be deployed to fix the issue. Wouters disclosed the bug to SpaceX through its bug bounty program before disclosing it publicly. SpaceX issued a response commending Wouters’ on his finding and invited security researchers to “bring on the bugs.” SpaceX also assured that Starlink’s defense-in-depth security approach limits the impact of the issue on their network and users.

(Threatpost)

Over 9,000 VNC servers exposed online without a password

Researchers from Cyble have discovered at least 9,000 internet-exposed VNC (virtual network computing) endpoints that can be accessed without authentication. Making matters worse, the searchers were able to link some exposed VNC instances to industrial control systems which should never be exposed to the Internet. For example, the researchers found one exposed VNC server led to a pump controller on a remote SCADA system in an undisclosed manufacturing plant. Most VNC exposures were located in China and Sweden, followed closely by the US, Spain, and Brazil. The researchers cited hacker forums and telemetry data to highlight the popularity of VNC weaknesses among hackers. VNC admins are advised to never expose VNC servers directly to the Internet without at least placing them behind a VPN.

Thanks to today’s episode sponsor, 6clicks

Identify, track, respond, and remediate issues and incidents from your various GRC workflows with 6clicks. With an issue submission form, 6clicks makes it easy and efficient for employees to submit incidents directly to an incident management team for triaging and response. Use the built-in incident response playbooks, or your own, to standardize incident response across the organization. For more information visit 6clicks.com/cisoseries.

(Bleeping Computer)

Zeppelin Ransomware resurfaces with new encryption tactics

The Cybersecurity and Infrastructure Security Agency (CISA) and FBI have issued a warning of the resurgence of Zeppelin ransomware which is now employing new encryption tactics. Threat actors are exploiting remote desktop protocol (RDP), SonicWall firewall vulnerabilities, and previously used phishing campaigns to deploy the new malware. Zeppelin appears to be applying multiple layers of encryption to their victims’ networks requiring several unique decryption keys to restore their data. Cyberattacks using the new version of Zeppelin have also been much more targeted, first taking aim at tech and healthcare companies in Europe and the US.

(Threatpost)

Last week’s ransomware roundup 

Unfortunately last week was a very busy week for ransomware attacks, including attacks against Cisco and a Danish 7-eleven which we covered on Cyber Security Headlines. Other attacks included ista International and Advanced MSP, causing an outage for the UK’s NHS. Researchers were also keeping busy tracking ransomware gang movements to callback social engineering tactics and Cuba ransomware using new RAT malware. Finally, last week saw the US State Department offering a reward of up to $10 million for information helping to unveil Conti ransomware gang members.

(Bleeping Computer)

Tornado Cash developer arrested for money laundering

The Dutch Fiscal Information and Investigation Service said Friday that they have arrested an individual suspected of being a developer of the US-sanctioned Tornado Cash crypto mixing service. 29-year-old Alexey Pertsev, was arrested in Amsterdam under suspicion of “concealing criminal financial flows and facilitating money laundering” through the crypto mixing service. The Dutch agency added that multiple arrests are not ruled out. According to the US Treasury. Tornado Cash has been used to launder more than $7 billion worth of virtual currency since 2019.

(TechCrunch and The Block)

Anonymous poop gifting site hacked

Sh–Express, a prank web service that lets you send a box of feces along with a personalized message to friends and enemies, has been breached after a “customer” spotted a vulnerability. Rather than responsibly reporting the issue, the customer who is the well-known threat actor Pompompurin exploited the bug and downloaded the entire customer database. Pompompurin then shared the database on a hacking forum, exposing the angry and colorful personal messages sent by customers along with their gifts. Initially, Pompompurin visited the prank site to send a token of appreciation to cybersecurity researcher Vinny Troia, with whom the hacker has had a long-standing feud, but then the hacker discovered the website was vulnerable to SQL Injection.

(Bleeping Computer)

Sean Kelly
Sean Kelly is a cyber risk professional and leader who thrives on learning, collaborating and helping the business securely advance its mission. Sean is also a musician and outdoor enthusiast who loves spending time with his family and two cats.