U.S. charges Russian hackers blamed for Ukraine power outages and the NotPetya ransomware attack

Six Russian intelligence officers accused of launching some of the “world’s most destructive malware” — including an attack that took down the Ukraine power grid in December 2015 and the NotPetya global ransomware attack in 2017 — have been charged by the U.S. Justice Department.

Prosecutors said the group of hackers, who work for the Russian GRU, are behind the “most disruptive and destructive series of computer attacks ever attributed to a single group.”

“No country has weaponized its cyber capabilities as maliciously or irresponsibly as Russia, wantonly causing unprecedented damage to pursue small tactical advantages and to satisfy fits of spite,” said John Demers, U.S. U.S. assistant attorney general for national security. “Today the Department has charged these Russian officers with conducting the most disruptive and destructive series of computer attacks ever attributed to a single group, including by unleashing the NotPetya malware. No nation will recapture greatness while behaving in this way.”

The six accused Russian intelligence officers. (Image: FBI/supplied)

In charges laid out Monday, the hackers are accused of developing and launching attacks using the KillDisk and Industroyer (also known as Crash Override) to target and disrupt the power supply in Ukraine, which left hundreds of thousands of customers without electricity two days before Christmas. The prosecutors also said the hackers were behind the NotPetya attack, a ransomware attack that spread across the world in 2017, causing billions of dollars in damages.

The hackers are also said to have used Olympic Destroyer, designed to knock out internet connections during the opening ceremony of the 2018 PyeongChang Winter Olympics in South Korea.

Prosecutors also blamed the six hackers for trying to disrupt the 2017 French elections by launching a “hack and leak” operation to discredit the then-presidential frontrunner, Emmanuel Macron, as well as launching targeted spearphishing attacks against the Organization for the Prohibition of Chemical Weapons and the U.K.’s Defense Science and Technology Laboratory, tasked with investigating the use of the Russian nerve agent Novichok in Salisbury, U.K. in 2018, and attacks against targets in Georgia, the former Soviet state.

The alleged hackers — Yuriy Sergeyevich Andrienko, 32; Sergey Vladimirovich Detistov, 35; Pavel Valeryevich Frolov, 28; Anatoliy Sergeyevich Kovalev, 29; Artem Valeryevich Ochichenko, 27; and Petr Nikolayevich Pliskin, 32 — are all charged with seven counts of conspiracy to hack, commit wire fraud, and causing computer damage.

The accused are believed to be in Russia. But the indictment serves as a “name and shame” effort, frequently employed by Justice Department prosecutors in recent years where arrests or extraditions are not likely or possible.

Healthcare giant UHS hit by ransomware attack, sources say

Universal Health Services, one of the largest healthcare providers in the U.S., has been hit by a ransomware attack.

The attack hit UHS systems early on Sunday morning, according to two people with direct knowledge of the incident, locking computers and phone systems at several UHS facilities across the country, including in California and Florida.

One of the people said the computer screens changed with text that referenced the “shadow universe,” consistent with the Ryuk ransomware. “Everyone was told to turn off all the computers and not to turn them on again,” the person said. “We were told it will be days before the computers are up again.”

It’s not immediately known what impact the ransomware attack is having on patient care.

An executive who oversees cybersecurity at another U.S. hospital system, who asked not to be named as they were not authorized to speak to the press, told TechCrunch that patient medical data is “likely safe” as UHS relies on Cerner, a healthcare technology company, to handle its patients’ electronic health records.

UHS has 400 hospitals and healthcare facilities in the U.S. and the U.K., and serves millions of patients each year.

A spokesperson for UHS did not immediately respond to a request for comment.

The Ryuk ransomware is linked to a Russian cybercrime group, known as Wizard Spider, according to security firm Crowdstrike. Ryuk’s operators are known to go “big game hunting” and have previously targeted large organizations, including shipping giant Pitney Bowes and the U.S. Coast Guard.

Some ransomware operators said earlier this year that they would not attack health organizations and hospitals during the COVID-19 pandemic, but Ryuk’s operators did not.

Last week, police in Germany launched a homicide investigation after a woman died after she was redirected to another hospital following a ransomware attack.

We’ll have more on the UHS incident as we get it.


Send tips securely over Signal and WhatsApp to +1 646-755-8849 or send an encrypted email to: [email protected]

Cyber threat startup Cygilant hit by ransomware

Cygilant, a threat detection cybersecurity company, has confirmed a ransomware attack.

Christina Lattuca, Cygilant’s chief financial officer, said in a statement that the company was “aware of a ransomware attack impacting a portion of Cygilant’s technology environment.”

“Our Cyber Defense and Response Center team took immediate and decisive action to stop the progression of the attack. We are working closely with third-party forensic investigators and law enforcement to understand the full nature and impact of the attack. Cygilant is committed to the ongoing security of our network and to continuously strengthening all aspects of our security program,” the statement said.

Cygilant is believed to be the latest victim of NetWalker, a ransomware-as-a-service group, which lets threat groups rent access to its infrastructure to launch their own attacks, according to Brett Callow, a ransomware expert and threat analyst at security firm Emsisoft .

The file-encrypting malware itself not only scrambles a victim’s files but also exfiltrates the data to the hacker’s servers. The hackers typically threaten to publish the victim’s files if the ransom isn’t paid.

A site on the dark web associated with the NetWalker ransomware group posted screenshots of internal network files and directories believed to be associated with Cygilant.

Cygilant did not say if it paid the ransom. But at the time of writing, the dark web listing with Cygilant’s data had disappeared.

“Groups permanently delist companies when they’ve paid or, in some cases, temporarily delist them once they’ve agreed to come to the negotiating table,” said Callow. “NetWalker has temporarily delisted pending negotiations in at least one other case.”

Decrypted: Tesla’s ransomware near miss, Palantir’s S-1 risk factors

Another busy week in cybersecurity.

In case you missed it: A widely used messaging app used by over a million protesters has several major security flaws; a little-known loophole has let the DMV sell driver’s licenses and Social Security records to private investigators; and the U.S. government is suing to reclaim over $2.5 million in cryptocurrency stolen by North Korean hackers from two major exchanges.

But this week we are focusing on how a Tesla employee foiled a ransomware attack, and, ahead of Palantir’s debut on the stock market, how much of a risk factor is the company’s public image?


THE BIG PICTURE

Russian charged with attempted Tesla ransomware attack

$1 million. That’s how much a Tesla employee would have netted if they accepted a bribe from a Russian operative to install malware on Tesla’s Gigafactory network in Nevada. Instead, the employee told the FBI and the Russian was arrested.

The Justice Department charged the 27-year-old Russian, Egor Igorevich, weeks later as he tried to flee the United States. According to the indictment, his plan was to ask the employee to deliberately deploy ransomware on the Gigafactory’s network, grinding the network to a halt for a ransom of several million dollars. The would-be insider threat is likely the first of its kind, one ransomware expert told Wired, as financially driven hackers continue to up their game.

Tesla founder Elon Musk tweeted earlier this week confirming that Tesla was the target of the failed attack.

The attack, if carried out, could have been devastating. The indictment said that the malware was designed to extract data from the network before locking its files. This data-stealing ransomware is an increasing trend. These hacker groups not only encrypt a victim’s files but also exfiltrate the data to their servers. The hackers typically threaten to publish the victim’s files if the ransom isn’t paid.

Apple mistakenly approved a widely-used malware to run on Macs

Apple has some of the strictest rules to prevent malicious software from landing in its app store, even if on occasion a bad app slips through the net. But last year Apple took its toughest approach yet by requiring developers to submit their apps for security checks in order to run on millions of Macs unhindered.

The process, which Apple calls “notarization,” scans an app for security issues and malicious content. If approved, the Mac’s in-built security screening software, Gatekeeper, allows the app to run. Apps that don’t pass the security sniff test are denied, and are blocked from running.

But security researchers say they have found the first Mac malware inadvertently notarized by Apple.

Peter Dantini working with Patrick Wardle, a well-known Mac security researcher, found a malware campaign disguised as an Adobe Flash installer. These campaigns are common and have been around for years — even if Flash is rarely used these days — and most run unnotarized code, which Macs block immediately when opened.

But Dantini and Wardle found that one malicious Flash installer had code notarized by Apple and would run on Macs.

The malicious installer was notarized by Apple, and could be run on the latest versions of macOS. (Image: Patrick Wardle/supplied)

Wardle confirmed that Apple had approved code used by the popular Shlayer malware, which security firm Kaspersky said is the “most common threat” that Macs faced in 2019. Shlayer is a kind of adware that intercepts encrypted web traffic — even from HTTPS-enabled sites — and replaces websites and search results with its own ads, making fraudulent ad money for the operators.

“As far as I know, this is a first,” Wardle wrote in a blog post, shared with TechCrunch.

Wardle said that means Apple did not detect the malicious code when it was submitted and approved it to run on Macs — even on the unreleased beta version of macOS Big Sur, expected out later this year.

Apple revoked the notarized payloads after Wardle reached out, preventing the malware from running on Macs in the future.

In a statement, a spokesperson for Apple told TechCrunch: “Malicious software constantly changes, and Apple’s notarization system helps us keep malware off the Mac and allow us to respond quickly when it’s discovered. Upon learning of this adware, we revoked the identified variant, disabled the developer account, and revoked the associated certificates. We thank the researchers for their assistance in keeping our users safe.”

But Wardle said that the attackers were back soon after with a new, notarized payload, able to circumvent the Mac’s security all over again.

Garmin global outage caused by ransomware attack, sources say

An ongoing global outage at sport and fitness tech giant Garmin was caused by a ransomware attack, according to two sources with direct knowledge of the incident.

The incident began late Wednesday and continued through the weekend, causing disruption to the company’s online services for millions of users, including Garmin Connect, which syncs user activity and data to the cloud and other devices. The attack also took down flyGarmin, its aviation navigation and route-planning service.

Portions of Garmin’s website were also offline at the time of writing.

Garmin has said little about the incident so far. A banner on its website reads: “We are currently experiencing an outage that affects Garmin.com and Garmin Connect. This outage also affects our call centers, and we are currently unable to receive any calls, emails or online chats. We are working to resolve this issue as quickly as possible and apologize for this inconvenience.”

The two sources, who spoke on the condition of anonymity as they are not authorized to speak to the press, told TechCrunch that Garmin was trying to bring its network back online after the ransomware attack. One of the sources confirmed that the WastedLocker ransomware was to blame for the outage.

One other news outlet appeared to confirm that the outage was caused by WastedLocker.

Garmin’s online services have been down for days. The cause is believed to be ransomware, according to two sources with direct knowledge of the incident. (Screenshot: TechCrunch)

WastedLocker is a new kind of ransomware, detailed by security researchers at Malwarebytes in May, operated by a hacker group known as Evil Corp. Like other file-encrypting malware, WastedLocker infects computers, and locks the user’s files in exchange for a ransom, typically demanded in cryptocurrency.

Malwarebytes said that WastedLocker does not yet appear to have the capability to steal or exfiltrate data before encrypting the victim’s files, unlike other, newer ransomware strains. That means companies with backups may be able to escape paying the ransom. But companies without backups have faced ransom demands as much as $10 million.

The FBI has also long discouraged victims from paying ransoms related to malware attacks.

Evil Corp has a long history of malware and ransomware attacks. The group, allegedly led by a Russian national Maksim Yakubets, is known to have used Dridex, a powerful password-stealing malware that was used to steal more than $100 million from hundreds of banks over the past decade. Later, Dridex was also used as a way to deliver ransomware.

Yakubets, who remains at large, was indicted by the Justice Department last year for his alleged part in the group’s “unimaginable” amount of cybercrime during the past decade, according to U.S. prosecutors.

The Treasury also imposed sanctions on Evil Corp, including Yakubets and two other alleged members, for their involvement in the decade-long hacking campaign.

By imposing sanctions, it’s near-impossible for U.S.-based companies to pay the ransom — even if they wanted to — as U.S. nationals are “generally prohibited from engaging in transactions with them,” per a Treasury statement.

Brett Callow, a threat analyst and ransomware expert at security firm Emsisoft, said those sanctions make it “especially complicated” for U.S.-based companies dealing with WastedLocker infections.

“WastedLocker has been attributed by some security companies to Evil Corp, and the known members of Evil Corp — which purportedly has loose connections to the Russian government — have been sanctioned by the U.S. Treasury,” said Callow. “As a result of those sanctions, U.S persons are generally prohibited from transacting with those known members. This would seem to create a legal minefield for any company which may be considering paying a WastedLocker ransom,” he said.

Efforts to contact the alleged hackers were unsuccessful. The group uses different email addresses in each ransom note. We sent an email to two known email addresses associated with a previous WastedLocker incident, but did not hear back.

A Garmin spokesperson could not be reached for comment by phone or email on Saturday. (Garmin’s email servers have been down since the start of the incident.) Messages sent over Twitter were also not returned. We’ll update if we hear back.

Meet EventBot, a new Android malware that steals banking passwords and two-factor codes

Security researchers are sounding the alarm over a newly discovered Android malware that targets banking apps and cryptocurrency wallets.

The malware, which researchers at security firm Cybereason recently discovered and called EventBot, masquerades as a legitimate Android app — like Adobe Flash or Microsoft Word for Android — which abuses Android’s in-built accessibility features to obtain deep access to the device’s operating system.

Once installed — either by an unsuspecting user or by a malicious person with access to a victim’s phone — the EventBot-infected fake app quietly siphons off passwords for more than 200 banking and cryptocurrency apps — including PayPal, Coinbase, CapitalOne and HSBC — and intercepts and two-factor authentication text message codes.

With a victim’s password and two-factor code, the hackers can break into bank accounts, apps and wallets, and steal a victim’s funds.

“The developer behind Eventbot has invested a lot of time and resources into creating the code, and the level of sophistication and capabilities is really high,” Assaf Dahan, head of threat research at Cybereason, told TechCrunch.

The malware quietly records every tap and key press, and can read notifications from other installed apps, giving the hackers a window into what’s happening on a victim’s device.

Over time, the malware siphons off banking and cryptocurrency app passwords back to the hackers’ server.

The researchers said that EventBot remains a work in progress. Over a period of several weeks since its discovery in March, the researchers saw the malware iteratively update every few days to include new malicious features. At one point the malware’s creators improved the encryption scheme it uses to communicate with the hackers’ server, and included a new feature that can grab a user’s device lock code, likely to allow the malware to grant itself higher privileges to the victim’s device like payments and system settings.

But while the researchers are stumped as to who is behind the campaign, their research suggests the malware is brand new.

“Thus far, we haven’t observed clear cases of copy-paste or code reuse from other malware and it seems to have been written from scratch,” said Dahan.

Android malware is not new, but it’s on the rise. Hackers and malware operators have increasingly targeted mobile users because many device owners have their banking apps, social media, and other sensitive services on their device. Google has improved Android security in recent years by screening apps in its app store and proactively blocking third-party apps to cut down on malware — with mixed results. Many malicious apps have evaded Google’s detection.

Cybereason said it has not yet seen EventBot on Android’s app store or in active use in malware campaigns, limiting the exposure to potential victims — for now.

But the researchers said users should avoid untrusted apps from third-party sites and stores, many of which don’t screen their apps for malware.

Ex-NSA hacker drops new zero-day doom for Zoom

Zoom’s troubled year just got worse.

Now that a large portion of the world is working from home to ride out the coronavirus pandemic, Zoom’s popularity has rocketed, but also has led to an increased focus on the company’s security practices and privacy promises. Hot on the heels of two security researchers finding a Zoom bug that can be abused to steal Windows passwords, another security researcher found two new bugs that can be used to take over a Zoom user’s Mac, including tapping into the webcam and microphone.

Patrick Wardle, a former NSA hacker and now principle security researcher at Jamf, dropped the two previously undisclosed flaws on his blog Wednesday, which he shared with TechCrunch.

The two bugs, Wardle said, can be launched by a local attacker — that’s where someone has physical control of a vulnerable computer. Once exploited, the attacker can gain and maintain persistent access to the innards of a victim’s computer, allowing them to install malware or spyware.

Wardle’s first bug piggybacks off a previous finding. Zoom uses a “shady” technique — one that’s also used by Mac malware — to install the Mac app without user interaction. Wardle found that a local attacker with low-level user privileges can inject the Zoom installer with malicious code to obtain the highest level of user privileges, known as “root.”

Those root-level user privileges mean the attacker can access the underlying macOS operating system, which are typically off-limits to most users, making it easier to run malware or spyware without the user noticing.

The second bug exploits a flaw in how Zoom handles the webcam and microphone on Macs. Zoom, like any app that needs the webcam and microphone, first requires consent from the user. But Wardle said an attacker can inject malicious code into Zoom to trick it into giving the attacker the same access to the webcam and microphone that Zoom already has. Once Wardle tricked Zoom into loading his malicious code, the code will “automatically inherit” any or all of Zoom’s access rights, he said — and that includes Zoom’s access to the webcam and microphone.

“No additional prompts will be displayed, and the injected code was able to arbitrarily record audio and video,” wrote Wardle.

Because Wardle dropped detail of the vulnerabilities on his blog, Zoom has not yet provided a fix. Zoom also did not respond to TechCrunch’s request for comment.

In the meanwhile, Wardle said, “if you care about your security and privacy, perhaps stop using Zoom.”

Google’s Advanced Protection program for high-risk users now includes malware protection

Google is expanding the feature set for its Advanced Protection Program, a security offering that helps safeguard Google Accounts of those at risk for targeted attacks — like politicians, journalists, activists, business leaders, and others. The program already provides an increased level of protection for these accounts by limiting access to data, blocking fraudulent account access, supporting the use of physical security keys, and more. Today, Google is adding new malware protections to the program, as well.

For starters, those enrolled in the Advanced Protection Program will have Google Play Protect automatically enabled. This is Google’s built-in malware protection for Android that’s currently used to scan and verify 100 billion apps per day, Google notes. The system uses machine learning to automatically scan users’ device and apps to check for harmful behavior and potential security issues. Now, this will be enabled for Advanced Protection Program members and will not be able to be shut off.

The program will also now limit users’ ability to install apps from outside the Play Store, where apps are now scanned for malware before approval. Those from outside the store can present a greater risk. Google will now prevent the download of non-Play Store apps on any devices enrolled in the Advanced Protection Program, with a few exceptions. Users will be able to install non-Play Store apps through other third-party app stores that may have shipped on your device from the device manufacturer. Others can be installed through the developer tool Android Debug Bridge. However, Google says non-Play Store apps that have already been installed won’t be removed and can continue to be updated.

Google launched its Advanced Protection Program in fall 2017, as an opt-in option for those who believe they’re at increased risk of online attacks. The program focuses on defending against phishing, locking down malicious apps, and fending off hackers. The trade-off is reduced convenience as there are additional steps to take during authentication and more limitations on what can be done. But the result is a safer, and free, way to increase the security of your account and device.

The new added protections will roll out gradually to accounts enrolled in Advanced Program on Android devices, to be later this year be followed by new malware protections for Chrome, Google says. However, G Suite users won’t get these new protections now — instead, they’re offered through endpoint management which helps secure devices belonging to mobile workforces.

 

Hackers hit NutriBullet website with credit card-stealing malware

Magecart hackers have struck again, this time targeting the NutriBullet website.

According to new research by security firm RiskIQ, hackers broke into the blender maker’s website several times over the past two months, injected malicious credit card-skimming malware on its payment pages and siphoned off the credit card numbers and other personal data — like names, billing addresses, expiry dates and card verification values — of unsuspecting blender buyers.

The data was scraped and sent to a third-party server, operated by the attackers. The stolen credit card data is then sold to buyers on dark web marketplaces.

NutriBullet fought back each time by removing the malicious code each time. But RiskIQ said that the hackers still have access to the company’s infrastructure, with its hackers targeting NutriBullet’s website as recently as last week.

RiskIQ head of threat research Yonathan Klijnsma warned against using the site until the company “acknowledges our outreach and performs a cleanup.”

NutriBullet’s chief information officer Peter Huh confirmed the intrusions and that it had “launched forensic investigations” into the incident, and claimed it will “work closely with outside cybersecurity specialists to prevent further incursions,” but did not name the outside firm.

Huh and a spokesperson declined to answer our questions, specifically if customers would be notified of the security incident.

It’s the latest attack by Magecart, a group of groups rather than a single entity of hackers, all of which have different motivations and targets but all of which use largely the same tactics and techniques. There are eight known Magecart groups focused on stealing credit card numbers for profit, according to Klijnsma.

Hackers associated with Magecart tactics have in the past few years hit Ticketmaster, British Airways, the American Cancer Society and consumer electronics giant Newegg.

With the help of security outfits AbuseCH and Shadowserver, RiskIQ began efforts to take down the malicious domain that the hackers were using to send stolen credit card numbers. But Klijnsma acknowledged that the group, still with access to NutriBullet’s infrastructure, can keep spinning up new malicious domains and re-infecting the site with credit card-scraping malware.

“They’re learning from past attacks to stay one step ahead,” said Klijnsma. “It’s on the security community to do the same.”