The Good, the Bad and the Ugly in Cybersecurity – Week 8

The Good

Finding your hard earned dollars haven’t made their way into your bank account because some pesky cyber thief hacked your payroll provider is the last thing you want to hear on payday, so we welcome the news that an individual arrested for exactly such a crime pleaded guilty in court this week.

Charles Onus, a 34 year old Nigerian national, obtained unauthorized access to over 5,500 user accounts of a payroll services company via credential stuffing attacks. He then changed the bank information the account holder had designated for payroll to that of prepaid debit cards he controlled. Over more than 6 months, Onus managed to steal salaries totalling around $800,000.

While the crimes took place on or around July 2017 to sometime in 2018, the FBI weren’t able to arrest Onus until he decided to fly into the U.S. from Nigeria on April 14 for a two-week vacation in Las Vegas. Unfortunately for him, it was a gamble that didn’t pay off as San Francisco Customs and Border Protection officers were waiting to apprehend him. After this week’s guilty plea to computer fraud, Onus awaits sentencing on May 12, 2022. The charges carry a maximum sentence of 5 years in prison.

The Bad

Network security vendor WatchGuard, along with U.K. and U.S. cybersecurity and law enforcement agencies, this week released an advisory warning that the APT sometimes known as Sandworm but better known as Russia’s GRU unit (the folks who brought the world NotPetya ransomware) has been seen distributing a new malicious botnet, dubbed Cyclops Blink.

The botnet targets home and small office network devices like WatchGuard Firebox and infects them with a malicious Linux ELF binary. Once a device is infected, the malware has functionality that includes file upload/download, system information discovery, self-updating and tasking from a C2 or bot master.

Infected devices have their firmware modified, which allows the malware to persist through reboots and even through subsequent legitimate firmware updates. Researchers say that the APT had “clearly reverse engineered the WatchGuard Firebox firmware update process and identified a weakness”. WatchGuard says that only firewall appliances that have been configured to allow unrestricted management access from the internet are at risk.

In order to detect whether a device is infected with Cyclops Blink, WatchGuard customers need to download a set of tools available from here and follow a four-step remediation process detailed here. Researchers advise that the weakness in the firmware update process is likely present in other WatchGuard devices, and all users are urged to follow the remediation steps.

The Ugly

When bad things happen in the world at large, you can be sure that anything from cyber crime to cyber warfare will soon follow suit in the digital domain. As this week saw the dawn of the long-anticipated Russian invasion of Ukraine, various cyber actors also unleashed their own unwanted contributions to the melee.

Among those was a campaign to destroy the information systems of a number of Ukrainian organizations with a custom wiper that researchers at SentinelLabs dubbed HermeticWiper.

As the name implies, the highly-destructive malware has but one objective: to render any device it runs on unusable. In this case, the targets are Windows 7 machines, still widely in use in Ukrainian organizations, and easy targets due to multiple known vulnerabilities.

Meanwhile, several reports came in on Thursday of DDoS attacks against both Ukrainian and Russian websites. Ukraine’s Kyiv Post was said to be under attack from the moment Russia launched its military offensive. On the other side of the fence, Russian government sites experiencing attack included the Kremlin (kremlin.ru) and the State Duma (duma.gov.ru). The infamous, nebulous and somewhat chaotic collection of individuals sometimes known as “Anonymous” claimed to have knocked the RT News website offline for an entire six hours.

CISA has warned U.S. companies to be on heightened alert as the conflict unfolds in cyber space, and has released an advisory entitled Shields Up. The advisory notes that:

While there are no specific or credible cyber threats to the U.S. homeland at this time, we are mindful of the potential for Russia’s destabilizing actions to impact organizations both within and beyond the region, particularly in the wake of sanctions imposed by the United States and our Allies.

The advisory also contains a number of useful recommendations regarding how to prepare, detect and respond to cyber intrusions that all defenders are urged to review.