On February 24th, between the hours of 5 a.m and 9 a.m, tens of thousands of KT-SAT SATCOM terminals suddenly stopped working in several European countries, notably Ukraine and Germany [1]. Resulting in the loss of internet for tens of thousands of people and the disconnection of 5,800 wind turbines in Germany. This outage occurred at the same time Russia launched its full-scale invasion of Ukraine [4]. Investigation into the outage has revealed that it is the result of a cyber attack, launched by unidentified hackers. It is currently not known whether they were backed by the Russian state, which has repeatedly rejected allegations that it participates in cyberattacks [1].

Back-Up, What are SATCOM Terminals? What Does SATCOM Even Mean?

SATCOM stands for satellite communication, meaning that a SATCOM terminal is a device used to communicate with satellites. They have a wide range of uses, from applications in emergency communication devices that allow vessels to send distress calls to providing basic access to the Internet [6]. SATCOM networks are used for communication in a large number of industries, including aviation, media, and military and defense. It’s estimated that about eight million Americans rely on SATCOM networks for internet access [5]. Similarly, Viasat’s KA-SAT network and its terminals (the ones that were attacked) provide high-speed satellite internet coverage to Europe and the Mediterranean, and developmentally, the Ukrainian military is recorded to be using this type of satellite terminal [3]. Over the past several years, Ukraine’s military and security services have purchased communications systems that run over Viasat’s network and government contracts have been reviewed to show that the KA-SAT network has provided internet connectivity to the Ukrainian military and police units [1].

The Attack and Its Consequences

From what is publically known so far, the attack:

• Began on February 24th, between 5 a.m and 9.am [1].
• Was launched by unidentified hackers, accordingly the Russian government has denied any involvement [1].
• Has disabled tens of thousands of modems that communicate with Viasat’s KA-SAT satellite, kicking out internet connectivity to tens of thousands in the affected area [1].
• Has disconnected the operations of 5,800 wind turbines (which utilize SATCOM modems) owned by the German company Enercon.  [2].
• Has affected Ukrainian military communications such that the attack has been acknowledged as “a huge loss for them in terms of communications in the very beginning of war” [3].
• Was a result of a misconfiguration in the “management section” of the satellite network that had allowed the hackers to gain remote access into the modems, knocking them offline. [1].
• Has damaged the modems to the extent that most of the affected devices were rendered inoperable and would need to be reprogrammed either by a technician on site or at a repair depot and that some would have to be swapped out. Notably, more than two weeks later some still remain offline [1].

Why Should I Care? How Does This Relate To Cybersecurity?

Within the realm of cyberattacks and cyberwarfare, the scope and effect of recent attacks have been limited to targeting private companies [11], government websites, and infrastructure [12]. While these attacks have been devastating (and costly), up until recently, larger-scale systems such as SATCOM networks have been relatively safe. However, the recent Viasat attack has shown that satellite communications networks are not only vulnerable to but already have been targeted by cyberattacks, with a sizable level of success. The utility and value that these networks provide cannot be overstated, particularly regarding military usage. A successful attack could render a communications blackout for an entire army and distress calls could be blocked or power generation depots could be shut down, darkening entire cities.

Not only does the current risk regarding these large networks include the devastating costs of a successful attack but also in the widespread and international nature of these types of networks. The KA-SAT network alone covers broad areas of Europe and the Mediterranean [1]. The attack on the 24th was harmful enough. Imagine that a more destructive attack was to be successfully launched, the damage would not only be disastrous but also far-reaching. With such dire possible consequences, cybersecurity regarding satellite communication is as vital as ever.

While some SATCOM networks are currently vulnerable, all hope is not lost. a joint CISA-FBI advisory issued on the 17th urged SATCOM network providers and critical infrastructure organizations that rely on these networks to reinforce their cybersecurity defenses due to an increased possibility of cyberattack [5]. The advisory outlines defensive actions for both SATCOM providers and their customers to take amid investigations into the Viasat attack [10]. Those that were attacked are taking action as well. Viasat and Enercon are taking steps to repair their systems:

• Enercon reports that it is working with the operators of the affected wind farms to set up alternative ways to regain remote control of the turbines. There was no risk to the turbines as they continued to operate on “auto mode,” the company said [2].
• Viasat is working with distributors to restore service for those fixed broadband users in Europe impacted by this event, with a priority focus on critical infrastructure and humanitarian assistance [5].

A Hopeful Conclusion

Ultimately, the attack on the 24th was not permanently damaging and has not caused an immediate loss of life (outside of any casualties caused by the interruption of military communications in Ukraine). While the temporary halt of internet connectivity, communications, and wind power generation control was shocking, the affected systems are in repair. Not only has the attack raised eyebrows regarding SATCOM security but it has also triggered a response involving steps to reinforce the digital security of these networks so that future (potentially more harmful) attacks can be prevented.

References:

1. https://www.reuters.com/world/europe/exclusive-us-spy-agency-probes-sabotage-satellite-internet-during-russian-2022-03-11/
2. https://www.reuters.com/business/energy/satellite-outage-knocks-out-control-enercon-wind-turbines-2022-02-28/
3. https://www.reuters.com/world/satellite-outage-caused-huge-loss-communications-wars-outset-ukrainian-official-2022-03-15/
4. https://www.reversemode.com/2022/03/satcom-terminals-under-attack-in-europe.html
5. https://techcrunch.com/2022/03/18/cisa-fbi-satellite-networks/
6. https://www.goincognito.co/info-massive-cyber-attack-in-europe/
7. https://www.zdnet.com/article/viasat-confirms-cyberattack-causing-outages-across-europe/
8. https://www.zdnet.com/article/cisa-and-fbi-warn-over-threats-to-satellite-communications-networks/
9. https://www.reuters.com/business/aerospace-defense/satellite-firm-viasat-probes-suspected-cyberattack-ukraine-elsewhere-2022-02-28/
10. https://www.cisa.gov/uscert/ncas/alerts/aa22-076a
11. https://www.itworldcanada.com/article/cyber-security-today-march-2-2022-toyota-and-aon-deal-with-cyber-attacks-updates-on-axis-and-nvidia-attacks-and-more/474804
12. https://www.csis.org/programs/strategic-technologies-program/significant-cyber-incidents

While it is true that this attack was carried out while being funded by the Russian government, it was an attack that occurred back in May 2021 while only just recently being reported on so it would have little to do with the recent political conflicts involving Russia. The FBI and the CISA (Cybersecurity and Infrastructure Security Agency) have released information that this attack essentially used flawed MFA (Multifactor Authentication) settings as an entry point where they then utilized an already known vulnerability PrintNightmare (1).  The victim of this crime is an undisclosed non government organization and it is unclear exactly what information has been exfiltrated, but it is clear that the attackers had access to cloud documents and email accounts.

---

What is PrintNightmare?

Microsoft put out a report that covered the severity and details of this vulnerability on July 1st 2021. The vulnerability employs the Windows Print Spooler program which when acting as intended, is used to manage all print jobs as they are received by the computer. When this program is exploited, the program improperly performs privileged file operations which grants attackers the opportunity to execute arbitrary code. RCE or remote code executions is a serious issue when it comes to vulnerabilities as it essentially grants bad actors system privileges which would allow free reign to view data, delete data or even install programs which they would not have been able to otherwise (2). It is because of this issue that Microsoft had rated this exploit a 8.8/10 in the common vulnerability scoring system (CVSS)(3).

---

How was the attack done?

Usually MFA is an important part of making sure that intruders stay out of accounts they are not supposed to access. This attack on the other hand made use of Cisco’s Duo MFA system which had a default configuration allowing inactive accounts to be reactivated without the need of being authenticated (4). Because of this oversight, all that the attackers had to do was (5):

• Find an inactive account that has a poor password.
• Brute force the weak password, then reactivate the account (skipping having the account verified).
• Implement the PrintNightmare exploit to escalate their permissions.
• Use these system permissions to completely disable MFA for all the accounts

At this point the attackers were well inside the network and could continue to create accounts to snoop on data stored on the cloud server and within the other users’ emails.

---

Takeaways

It is clear that there were many flaws that went wrong for this attack to had been carried out; from the faulty default settings of Duo MFA, the NGO’s failure to understand the settings related to their own network’s security, or even Microsoft for having been relatively slow when implementing a fix for the known exploit. But the simplest flaw, and one that any of us could be responsible for, is creating a weak password. Without finding an account that had a relatively simple password that the attackers could guess, there would not have been an entry point for the attack (5). Making a complex password that is hard to crack is not only beneficial for your own security but as this example showed, when all else fails, having a good password is also beneficial for everyone on the shared network. 

Here is a video that goes over some things to consider when making a good password:

---

Sources:

(1) https://thehackernews.com/2022/03/fbi-cisa-warn-of-russian-hackers.html

(2) https://nakedsecurity.sophos.com/2021/06/30/printnightmare-the-zero-day-hole-in-windows-heres-what-to-do/

(3) https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527

(4) https://www.cisa.gov/uscert/ncas/alerts/aa22-074a

(5) https://nakedsecurity.sophos.com/2022/03/16/russian-actors-bypass-2fa-story-what-happened-and-how-to-avoid-it/

(6) https://www.youtube.com/watch?v=pMPhBEoVulQ&t=102s

(7) https://www.ft.com/content/0aa7a6e0-ca52-11e9-af46-b09e8bfe60c0

During the ongoing war between Russia and Ukraine, there are photographs showing what appears to be KUB-BLA, a type of Russian “Suicide” drone that boast the ability of self-flying and facial recognizing the target by artificial intelligence [1]. It raises concern about the possibility that AI will play a greater role in making lethal decisions and how autonomous drone might alter war’s course.

Self-flying drone

Self-navigation drones get pre-defined GPS coordinates about departure and destination points, with the capability to find the most optimal way and get there without manual control thanks to AI-enabled computer vision advances. Various in-built elements of a self-flying drone include computerized programming, propulsion and navigation systems, GPS, sensors and cameras, programmable controllers, as well as equipment to automate the flight [2].

Computer Vision

Computer vision has a primary role in detecting the various types of objects to analyse and record information on the ground while flying in midair [3]. Onboard image processing and a drone neural network are used to detect, classify, and track objects while the drone travels. The neural network in drones is capable of detecting various types of objects like vehicles, buildings, trees, objects on or near the surface of the water, as well as diverse terrain. Additionally, it can identify living creatures with high degrees of accuracy. Using computer vision, the drone maps out its surroundings in 3D to support its maneuvering and avoiding collisions with obstacles. 

Deep Machine Learning in Object Detection & Drone Navigation

Despite GPS navigation and computer vision, it is not enough to solve the problem of collision avoidance. To make the drone learn how to avoid objects at high speeds and recognize a variety of objects, from static to in motion, deep learning algorithms must be used to train it with a large amount of data. A wide variety of entities are labeled to make sure drone can detect and decide its direction and control to fly safely avoiding the obstacles in the path.

How devastate is “Suicide” drone?

According to the producing company ZALA Aero, a subsidiary of the Russian arm company Kalashnikov, each KUB-BLA is equipped with 3-kilo explosive that would detonate when the drone drops into the target. The blast is powerful enough to obliterate human body or destroy a vehicle.

The drone’s computer vision uses an intelligent facial recognition to identify the target midair, while being trained with machine learning algorithm to dodge incoming attack and calculate the optimal course. The drone is highly effective in detecting and chasing the target to ensure a positive hit.

Capable of reaching highest speed of 130 km/hr for 30 minutes after launch, it is almost impossible for a ground target to escape. It is unknown if KUB-BLA can be used in a drone swarm attack.

Reference

[1] https://www.wired.com/story/ai-drones-russia-ukraine/

[2] https://medium.com/vsinghbisen/how-ai-based-drone-works-artificial-intelligence-drone-use-cases-7f3d44b8abe3

[3] https://www.wevolver.com/article/artificial-intelligence-in-drone-technology/

With the NFT market being worth more than $10 billion, it has definitely gained the attention of a lot of people. From NFTs being talked about on the news, to celebrities, public figures and giant companies supporting or even starting NFT projects, it would make sense why hackers and malicious actors have decided to exploit the weaknesses in the system. And in this post, I would like to talk about some ways people have exploited these weaknesses in the system.

Before I start, you should know how NFTs or Non Fungible Tokens work, and since there is a lot that goes on with NFTs, I can not explain everything so I would direct you to this link: Click here

OpenSea email Scam

For this attack, unsuspecting users receive an email claiming to be from OpenSea, and if they were to click the link it would lead them to a fraudulent website, and ask them to connect their wallet, it would then ask them sign the “Approve All” transaction, which would then let the attacker initiate transactions from their wallet. With that, they are then able to sell the NFTs in the victims’ wallet to themselves for 0 ETH, or way lower than what they are worth.

According to OpenSea, 17 users fell victim to this attack, and the attacker made stole numerous “valuable” assets such as: 3 Bored Ape Yacht Club, 2 Clonex, 17 Azuki, and 631 ETH. Everything is estimated to cost at least $1.7 million

Phishing attacks are the most common types of attacks used for stealing NFTs.

LandMine NFTs

@opensea One of me wallets was hacked wtf man pic.twitter.com/BbZ4FKtr6h

— Waka Flocka (WakaFlocka.eth) (@WakaFlocka) December 28, 2021

This is also another method hackers have used to drain peoples wallets, by airdropping an NFT into a persons wallet, and if they choose to sell the NFT or transfer it, the NFT drains the victim’s wallet.

The way this works is that initially, the smart contract of the malicious NFT is a wallet draining contract, but it would not have permissions to do anything until the user interacts with it. But once the user interacts with it, then it is going to have the permissions to interact with the users wallet, and then draining it.

If you receive an airdropped NFT that you do not trust, NFT traders advice that you just hide it, where it is still in the wallet, but it is not on your main page.

Conclusion

As you can see from the methods used above, even if you are using a “Web3” platform, you can still fall victim to different cyberattacks, and the ways to protect yourself from such attacks are similar to the “Old internet” solutions such as:

• Do not click on suspicious links
• Only give permissions to systems that you trust
• If you do not trust something, test it in an isolated environment, in this case a “burner wallet”
• If something feels too good to be true, then it probably is.

Sources:

https://theopendao.medium.com/opensea-phishing-attack-19-february-2022-and-the-opendaos-response-4f71aa80578c

https://blockworks.co/opensea-scammers-went-phishing-and-caught-over-250-nfts-from-17-users/

“Incident”

The French game company Ubisoft, which titles include the popular video game series Far Cry and The Prince of Persia, confirmed that it had suffered a ‘cyber security incident’ [1] that was first reported by The Verge on March 10, and confirmed by Ubisoft on March 11 [2].

Ubisoft is a gaming company that has been around since the late 1980’s, growing to feature a collection of major video game franchises including Just Dance to a myriad of Tom Clancy and Assassin’s Creed titles [3].  

Same actors?

According to the Verge, a leaked screenshot from the Telegram channel hosted by the hacker group LAPSUS$ shared the group’s reaction to the said incident’s article, possibly implying their connection to the cyber attack, although neither confirming nor denying it. The official statement from Ubisoft confirmed the incident, which they claim caused a “temporary disruption to some of our games, systems, and service,”[1] yet attesting that no player information was exposed as a result, however they issued a company wide mandate requiring their employees to change their passwords. 

LAPSUS$ has been in the news quite frequently following a string of ransomware attacks on companies such as the major chip maker NVIDIA, and tech conglomerate Samsung. Confidential information such as private source code, employee records, and personal information were stolen and then threatened with public leaking, unless certain ideological demands were met [4]. 

Thoughts

With little information being provided officially from Ubisoft of the actual attackers, it is only speculation at this moment as to what happened, and by whom. The company-wide password reset mandate could possibly point to a scenario where a weak and/or duplicate password was used by an individual employee, or some sort of social engineering or phishing attempt was used to acquire login information. The fact that the LAPSUS$ group has also not claimed direct responsibility, whereas they did with the NVIDIA and Samsung ransomware attacks[4], it is possible the hackers didn’t completely accomplish all they had hoped to. For example, a successful ransomware attack would be acquiring relevant enough data in order to extort the company into complying to their demands and/or financial compensation.

When a company is attacked, and the personal information of its company is released, there is not much one can personally do at that point. Even though customers and their data may not be the main target, rather a demand for change in company policies or practices, as was the case with the LAPSUS$ vs. NVIDIA incident, our personal information can easily become collateral damage in these situations. I believe it is best to give these companies as little personal information as possible when purchasing or using their products, which these days seems almost impossible, especially if requiring a credit card and billing address to purchase something. 

As someone who has been a victim of a company’s customer data being leaked, I can personally attest to the insane increase in the amount of phishing emails and unauthorized login attempts to many other online services that shared the same email. It was a great reminder to never use the same password, and shows just how vulnerable we all are with giving our information to companies, knowing nothing of their security practices.

Sources

1. https://news.ubisoft.com/en-gb/article/3tSsBh25mhHhlbGSy1xbRw/ubisoft-cyber-security-incident-update
2. https://www.theverge.com/2022/3/11/22972768/ubisoft-cyber-security-incident-hack
3. https://en.wikipedia.org/wiki/Ubisoft#Games
4. https://blog.checkpoint.com/2022/03/07/lapsus-ransomware-gang-uses-stolen-source-code-to-disguise-malware-files-as-trustworthy-check-point-customers-remain-protected/

On March 15, 2022, Germany’s cyber security authority, the Federal Office for Information Security (BSI), has warned against using anti-virus software from Russian headquartered company Kaspersky.

The BSI recommends replacing applications from the portfolio of anti-virus software from Kaspersky with alternative products.

https://www.bsi.bund.de/DE/Service-Navi/Presse/Pressemitteilungen/Presse2022/220315_Kaspersky-Warnung.html

Who is Kaspersky?

Kaspersky is a major multinational cybersecurity and anti-virus provider; however, since it is based in Moscow, Russia, the BSI has expressed concerns that it may be utilized by the Kremlin.

A Russian IT manufacturer can carry out offensive operations itself, be forced to attack target systems against his will, or be spied on as a victim of a cyber operation without his knowledge or misused as a tool for attacks against its own customers.

https://www.bsi.bund.de/DE/Service-Navi/Presse/Pressemitteilungen/Presse2022/220315_Kaspersky-Warnung.html

Concern about the neutrality of Kaspersky has been expressed before. In fact, in 2017, former U.S. President Donald Trump banned the use of Kaspersky services within the U.S. government.

Reactions

The controversy over Kaspersky has even prompted the German professional football club Eintracht Frankfurt to end a sponsorship deal with the company. The German football club’s CEO Axel Hellmann is quoted as saying:

We have always made it clear that we are attaching the continuation of the partnership with Kaspersky to facts and attitude and not to nationalities. With the warning of the BSI, the facts and thus the confidence in the protection capability of Kaspersky’s products and services has changed significantly. We have informed the management of Kaspersky that we will terminate the sponsorship contract with immediate effect.

https://klub.eintracht.de/news/eintracht-beendet-partnerschaft-mit-kaspersky-140013

Kaspersky’s Response

Eugene Kaspersky, CEO of Kaspersky, denies any allegations of connections with the Russian government and says the BSI’s statement is political rather than based on evidence and facts.

We’re grateful to our German customers for their continued choice of @kaspersky & will continue to protect them from threats no matter the origin.

We call on regulators to make choices on facts not politics.

EN – https://t.co/INW3xbDlF6 pic.twitter.com/JO7ZRwyGTe

— Eugene Kaspersky (@e_kaspersky) March 16, 2022

Sources:

• https://www.bsi.bund.de/DE/Service-Navi/Presse/Pressemitteilungen/Presse2022/220315_Kaspersky-Warnung.html
• https://www.bbc.com/news/technology-60738208
• https://www.bloomberg.com/news/articles/2022-03-15/germany-warns-kaspersky-software-risks-being-exploited-by-russia
• https://www.reuters.com/article/us-usa-cyber-kaspersky-idUSKBN1E62V4
• https://klub.eintracht.de/news/eintracht-beendet-partnerschaft-mit-kaspersky-140013