Home » Trends » SATCOM networks on high alert after US Govt warning • The register
Trends

SATCOM networks on high alert after US Govt warning • The register

Short US federal agencies have warned of possible threats to US and international satellite communications (SATCOM) networks that could affect customers.

In a joint security alert, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and FBI “strongly encouraged” critical infrastructure operators, along with SATCOM network providers and customers, to take a series of mitigation steps to support their networks.

These include:

  • Implementation of additional monitoring for anomalous traffic during entry and exit points on SATCOM equipment.
  • Monitoring network logs for suspicious activity and unauthorized or unusual login attempts.
  • With strong passwords and other authentication methods including multi-factor authentication.
  • Implement less-privilege access through authorization policies.
  • Review existing trust relationships with IT service providers.
  • Implement independent encryption across all communication links hired or provided by SATCOM providers.
  • Create and execute a cyber incident response plan.

“Given the current geopolitical situation, CISA’s Shields Up initiative calls on all organizations to significantly lower their thresholds for reporting and sharing indications of malicious cyber activity,” the agency warned.

The alarm follows a cyberattack against satellite communications provider Viasat, which began the day Russia attacked Ukraine, a move that apparently shut down tens of thousands of KA-SAT SATCOM terminals in Europe. Viasat’s KA-SAT bird offers connectivity with the UK, Continental Europe, Western Russia and Turkey. Viasat is also a US and UK military contractor.

A security breach in HubSpot’s online CRM and marketing outfit has had a knock-on effect, leading to the leakage of some customer information from no more than 30 HubSpot customers, including BlockFi, Swan Bitcoin, NYDIG, and Circle. It seems that the intrusion was targeted at cryptocurrency biz.

According to HubSpot, “a bad actor compromised a HubSpot employee account” in order to access the contact information people used to sign up for the services.

Stop the noise

Security teams are (still) suffering from alarm bumps with the financial sector hit hardest, according to a new Orca Security report.

The cloud security vendor conducted a global survey of 813 IT makers in five countries (US, UK, France, Germany, and Australia) in 10 industries, and found that 59 percent of respondents receive more than 500 public cloud security alerts every day.

It’s even worse for security teams at financial institutions: 71 percent of those surveyed see more than 500 such alarms every day, 85 percent have more than 500 public cloud alarms on, and 63 percent say they spend more than 20 percent of their time each Day reviewed and prioritized alarms.

Orca has also found that siled safety devices make the problem worse. It cites 87 percent of respondents who use five or more public cloud security tools. The biggest culprits here are network scanning tools (84 percent) and cloud platform native security tools (82 percent).

Another interesting excerpt: the inconsistency between respondents’ trust and satisfaction with their security tools versus how well they say these products actually work.

Almost all (95 percent) report that they are confident or very confident in the accuracy of the tools, while 43 percent say that more than 40 percent of their security alarms turn out to be false positives. And 97 percent say they are satisfied or completely satisfied with the ability of their cloud security products to prioritize risk. But nearly half (49 percent) say more than 40 percent of alarms have low priority.

More Conti Leak Analysis, please

Handshow: who still loses sleep because he can not stop to scroll more Conti Leak analyzes?

Check Point Research, in its latest analysis of the Russian-backed ransomware gang, has produced a particularly useful report to illustrate how communication between members and partners works. It allows viewers to draw a user node to see the connections of the various team members and the amount of messages they send to other members in the criminal operation.

The security business also discussed the recruitment sites used by the Conti HR department: Russian-language headhunting services like headhunter.ru and superjobs.ru, although Check Point noted that Conti had less success with the latter.

“You may ask ‘why does headhunter.ru offer such a service?’, And the answer is, they do not,” the threat researchers wrote. “Conti simply purchased the software, which gives access to the ‘borrowed’ CV pool without permission, which seems to be standard practice in the cybercrime world.”

Meanwhile, security surveillance firm Arctic Wolf says it uses the Conti leaks combined with its own dark web surveillance and ransomware response data to quantify Conti victims by geographic location. Most (52%) are based in the US, followed by Germany (9%) and the UK (8%).

Not to be outdone, Russian-speaking cybersecurity researchers at Forescout also poured over the Conti leaks and published a 14-page report this week [PDF].

“One of the conti files is roughly translated in the ‘Hacker’s Quickstart Guide’, according to the security firm’s analysis.

As the name implies, the file provides recommendations for attacking networks and gaining persistence. Forescout summarizes the three main points:

  • IoT devices have a large initial attack surface.
  • RDP is recommended as the “initial backdoor”.
  • Active Directory / Domain controllers are often the primary target before you reach persistence.

“Active Directory servers are most convenient for exploitation: often typical misconfigurations can be found, many vulnerabilities (such as Zerologon) and shared resources are enabled by default (eg default network sharing),” the report said. “In particular, such shared resources not only help regular employees to do their day-to-day work, but also make the attackers’ work significantly easier.”

Log4j another pain point

Nearly a third (30 percent) of Log4j instances remain vulnerable to exploitation, according to Qualys’ latest research.

The security vendor has also released a new open-source Log4j scanning tool, in addition to free access to its platform for 30 days.

It’s been three months since the vulnerability affecting Apache’s popular Java-based logging tool was released on December 9th. Just 72 hours later, cybercriminals launched nearly a million attack attempts.

The security provider says its endpoint detection and response product has detected 22,000 potential attacks per week “at the height of the crisis”.

In total, the bug was discovered in more than 2,800 web apps, according to Qualys, and most (more than 80 percent) were Linux-based.

Some 68,000 birds were found in cloud workloads and containers throughout the United States, Europe, the Middle East and Africa. And more than half of the apps with Log4j have been marked as “end-of-support”, meaning software vendors do not offer security patches.

(Gh0st) Cringe-worthy RAT

Researchers from AhnLab detailed a remote access Trojan (RAT) called Gh0stCringe that infects Microsoft SQL and MySQL, particularly “poorly managed DB servers with vulnerable account credentials,” according to the Korean security business blog.

Gh0stCringe, aka CirenegRAT, is based on the code of Gh0st RAT.

As Malwarebytes Labs notes, “The Gh0st RAT source code has been publicly released, so we’ve seen quite a bit of malware based on this code.”

The original Gh0st RAT uses a signature string called “Gh0st” to communicate with the command-and-control server.

Once communication is established, the newer Gh0stCringe RAT can execute any number of malicious acts, including linking to specific URLs without the user’s knowledge, keylogging, stealing information, downloading additional payloads, and destroying data. ®