Microsoft claims Ukraine has been hit with hundreds of cyberattacks from well-known state-backed Russian hacking groups.
The post Russia continues digital onslaught against Ukrainian systems appeared first on Malwarebytes Labs.

According to Microsoft, at least six Kremlin-backed hacking groups have been attacking Ukraine in the digital space in an onslaught that began before the invasion in late February. The company counted more than 237 cyberattack operations against Ukrainian systems and critical infrastructure.

These attacks involve destructive malware that “threaten civilian welfare”, accompanied by intelligence gathering and reconnaissance.

APT28 (aka FancyBear), DEV-0586, Energetic Bear (aka Dragonfly), Gamaredon, Nobelium, Sandworm, and Turla are the nation-state actors carrying out the attacks.

“Russia’s use of cyberattacks appears to be strongly correlated and sometimes directly timed with its kinetic military operations targeting services and institutions crucial for civilians,” Microsoft said. The company gave several examples to illustrate this correlation: “While Russian forces besieged the city of Mariupol, Ukrainians began receiving an email from a Russian actor masquerading as a Mariupol resident, falsely accusing Ukraine’s government of ‘abandoning’ Ukrainian citizens.”

Russia was seen using various techniques in its attack to gain initial access. This includes phishing campaigns, vulnerability exploitation, and compromising upstream IT services. The country is also not shy about using wiper malware—destructive malware CISA (the Cybersecurity and Infrastructure Security Agency) and the FBI (Federal Bureau of Investigation) highlighted in an updated alert initially released in late February.

HermeticWiper, IsaacWiper, HermeticWizard, and CaddyWiper were deployed to Ukrainian networks in January 2022.

Microsoft believes that Russian cyberattacks will continue to escalate. Nation-state threat actors may also expand their destructive attacks outside Ukraine to retaliate against countries helping Ukraine or continuing to inflict punitive measures against Russia.

“We’ve observed Russian-aligned actors active in Ukraine show interest in or conduct operations against organizations in the Baltics and Turkey—all NATO member states actively providing political, humanitarian or military support to Ukraine.”

You can read more about Russian cyberattack activities against Ukraine in Microsoft’s Special Report: Ukraine.

Russia continues digital onslaught against Ukrainian systems

Plus: Trump backers breach election systems, Microsoft tracks Russia's war prep, a new Facebook leak reveals a mess, and Bored Ape Yacht Club gets hacked.

Surprising news abounded this week as Ukrainian officials weigh next steps in their digital campaigns against Russia, given that their efforts so far have been unexpectedly successful, if sometimes controversial. Overall, Russia is being pummeled with cyberattacks of all sorts at a scale beyond anything the country has dealt with before.

Meanwhile, new research indicates that a small group of North Koreans have taught themselves to jailbreak smartphones in an effort to bypass the regime's extensive digital restrictions and access forbidden media.

Elon Musk's bid this week to purchase Twitter highlighted a host of potential privacy and security concerns for the platform's users. The United States faced a notable spike in child sexual abuse sites in 2021 as CSAM hosting continued to increase dramatically around the world. Hollywood's fight against VPNs has gotten more heated as the entertainment industry expands its accusations about illegal activity enabled by the services. And Cloudflare recorded a historic DDoS attack that bombarded a cryptocurrency platform with 15.3 million requests.

If you feel like doing something for your own security or that of your business this weekend, we've got a roundup of all the most critical mainstream vulnerabilities from April that you can patch right now. 

And there's more. We’ve rounded up all the news that we didn’t break or cover in depth this week. Click on the headlines to read the full stories. And stay safe out there.

The Office of the Director of National Intelligence released its annual transparency report on Friday, which showed that the FBI conducted as many as 3.4 million warrantless searches of Americans’ data in 2021, including 1.9 million searches related to a Russian cyberattack. This is the first time ODNI has published a number for FBI searches utilizing the Foreign Intelligence Surveillance Act of 1978, or FISA. The law is meant to authorize investigative capabilities related to foreign threats, but it allows for some incidental domestic searches in the process. FISA activity has often been criticized for happening without public transparency.

In an in-depth analysis, Reuters looks at eight incidents around the country in which activists supportive of former President Donald Trump have attempted to breach or successfully compromised local voting systems as part of their quest to uncover evidence of manipulation in the 2020 US presidential election. In most cases, activists persuaded local election officials, all Republicans, to export and leak vote data. In the year and a half since Joe Biden became president, Trump loyalists have continued to falsely assert that voting machines across the US were compromised to produce Biden's win.

“These threats are being fueled by extreme elected officials and political insiders who are spreading the Big Lie”—that the 2020 vote was stolen—“to further suppress the vote, destabilize American elections, and undermine voter confidence,” Colorado Secretary of State Jena Griswold told Reuters in a statement.

In a report on Wednesday, Microsoft said it has found evidence that Russia began setting the stage for its invasion of Ukraine as early as March or April 2021. During that time, Russian state-backed hackers began establishing access points in Ukrainian government and critical infrastructure systems, researchers found. The attackers seem to have been collecting intelligence on the Ukrainian military, NATO member states, and diplomatic targets. In the report, Microsoft calls Russian aggression against Ukraine a “hybrid war” and says that Russian cyberattacks have been “relentless and destructive.” 

Microsoft reports that in early 2021, as Russian troops began to gather at the Ukrainian border, the Russian hacking group known as APT 29, Cozy Bear, and Nobelium began mounting phishing attacks to establish access. Microsoft says the Russian hacking group known as Ghostwriter was also active at this time, targeting Ukrainian military email accounts and networks with phishing attacks.

An internal Facebook document prepared last year and obtained by Motherboard lays out concerns from privacy engineers on the social network's Ad and Business Product team about the company's ability to account for the data it holds and track data as it moves through the service. The revelations are not necessarily surprising, given Facebook's sheer scale and recurrent data control issues, but they are significant as the tech giant works to comply with an increasing array of privacy legislations around the world. 

“We do not have an adequate level of control and explainability over how our systems use data, and thus we can’t confidently make controlled policy changes or external commitments such as ‘we will not use X data for Y purpose.’ And yet, this is exactly what regulators expect us to do, increasing our risk of mistakes and misrepresentation,” the document says.

A company spokesperson told Motherboard that the document “does not describe our extensive processes and controls to comply with privacy regulations” and that “this document reflects the technical solutions we are building to scale the current measures we have in place to manage data and meet our obligations.”

Hackers compromised the Instagram account of NFT collection Bored Ape Yacht Club on Monday, posting a link to a copycat site that scammed visitors out of NFTs. The company said in a statement to WIRED that “Rough estimated losses due to the scam are 4 Bored Apes, 6 Mutant Apes, and 3 BAKC, as well as assorted other NFTs estimated at a total value of ~$3m.” NFT scams and other cryptocurrency hustles in which attackers publish a malicious or misleading link to steal coins are unfortunately not new. The BAYC situation is particularly ominous, though, because the company says it had full two-factor authentication enabled on the Instagram account and that “the security practices surrounding the IG account were tight.” The group is investigating how the Instagram takeover occurred.

More Great WIRED Stories

*   📩 The latest on tech, science, and more: Get our newsletters!
*   Sober influencers and the end of alcohol
*   For mRNA, Covid vaccines are just the beginning
*   The future of the web is AI-generated marketing copy
*   Keep your home connected with the best wi-fi routers
*   How to limit who can contact you on Instagram
*   👁️ Explore AI like never before with our new database
*   🏃🏽‍♀️ Want the best tools to get healthy? Check out our Gear team’s picks for the best fitness trackers, running gear (including shoes and socks), and best headphones

FBI Conducted 3.4 Million Warrantless Searches of Americans' Data

A hardcoded cryptographic key in Automation360 22 allows an attacker to decrypt exported RPA packages.

**Born in the cloud. Built for the future of business. This is automation, unleashed.**

Automation 360 is a single, integrated platform that transcends front office and back office technology siloes to automate business processes across all systems and applications, including both SaaS and legacy apps.

 

A must read, one-of-its-kind, industry report

What are top-performing companies doing with RPA to achieve an astounding 380% ROI? Get the inside scoop in the latest Now & Next: State of RPA report.

**Leave no process or employee behind with end-to-end automation, powered by cloud**

Automation 360 has you covered at all angles in the virtuous cycle of hyperautomation

Double your automatable processes by turning every piece of structured and unstructured data in any document into a consumable digital asset through AI and ML with IQ Bot.

Learn about IQ Bot

Take an accurate pulse on every bot and critical insights on every process in real time to enable data-driven decisions and enhancements with Bot Insight.

Learn about Bot Insight

**Unify front and back office with ready-for-anything, access-from-anywhere, end-to-end automation**

Delight employees and customers alike with automation-powered superior experiences

Front Office

Raise your customer satisfaction score with automation that efficiently resolves customer issues and optimizes time spent with customers.

Learn More

Back Office

Turn complex manual processes using legacy systems into streamlined automations, reducing human error and speeding digital transformation.

Learn More

Employee Experience

Empower human ingenuity. Integrate automation into employees' day-to-day, freeing them from mundane tasks and increasing high-value productivity.

Learn More

**Reap the benefits of a modern platform**

Automate 2x more processes\* out of the gate—from simple to highly complex business processes

Increase security, agility, and innovation at 1/5 of the cost\* of infrastructure and maintenance of legacy on-premises and cloud-hosted solutions

Scale 3x faster\* compared to any other platform, with reduced setup, bot creation, and bot deployment time

\*IQ Bot’s pre-trained OOTB solutions for over 100 use cases of document extraction lead to 2x more process automation; AARI enables customers to automate 2x more processes than possible with only RPA  
\*1/5 cost: based only on estimated infrastructure and maintenance cost  
\*3X faster scaling: Based on estimated speeds of development, deployment and maintenance, compared with other RPA platforms  
Actual results will vary by customer deployment

**Solve your business challenges with Automation 360**

Entrenched legacy apps

Begin your automation journey without having to change your existing technology. Gain efficiencies from Automation 360 working across both modern and legacy software.

The need for cloud

Speed up modernization of your on-premises enterprise technologies to SaaS solutions by automating data migration with Automation 360 for fast and accurate results.

Employee experience

Improve the employee experience with digital assistants for every employee to automate swivel-chair tasks.

Customer experience

Increase customer satisfaction with shorter processing times, more accurate data, and better customer service and support.

**A complete 360-degree solution for every nuance**

Security & governance

Automation 360 is ISO27001 and Soc 1 & 2 certified, providing the most comprehensive, multi-layered approach to security including identity and access management, data encryption, audit logs and monitoring, cloud infrastructure security, incident response, and application security.

AI/Machine learning

With AI and machine learning built into the platform, Automation 360 is continuously improving. You can even integrate third-party AI capabilities into your processes with drag and drop ease.

Pre-built Bots

Accelerate and scale automation with prebuilt bots from Bot Store, including more than 1200 prebuilt bots, packages, and digital workers, directly integrated with Automation 360.

Rich partner ecosystem

The extensible, pluggable Automation 360 architecture can easily integrate with additional enterprise solutions offered by our technology partners.

**Leading companies trust Automation Anywhere**

RPA is one of the key tools we have in our toolkit which enables broader digitization of our internal processes.

**– Andrew Davies**, CFO 

RPA brought speed to our operations. The complex processes in treasury and tax are now more accurate and efficient.

**– Vikas Kapoor**, Senior Vice President, Finance 

Our corporate goal is to reach $22 billion of revenue by the year 2022. The only way to scale that much is to do things better. Automation is allowing us to do that.

**– Cynthia Holmecki**, Global Leader Intelligent Automation Solutions 

It just took 3 weeks for small and medium-sized processes to be automated. The heaviest processes took only 9 weeks. The results were delivered fast, giving us the opportunity to assess the fast pace.

**– Ravi Konda**, Sr. Manager, IT 

Combining RPA with cognitive automation and analytics gives us the foundation to transform how we serve customers.

**– Richard Mendoza**, Automation Capabilities Leader 

Bank leadership is excited because we recovered our investment with a 1300% ROI within the first year.

**– Jorge Ivan Otalvaro**, VP Service Delivery and Operations 

With the implementation of RPA for our billing portal, we’ve increased our efficiency and production, decreased processing costs, and scaled for the future.

**– Kevin Tucceri**, Business Process Owner, Credit & Collections 

Once we got a few groups on board with RPA, that was really a game changer for us. People started to see the results and the excitement was contagious.

**– Joe Cotnoir**, Director HRIS—Business Process Enablement, HR Services 

**...and users love us!**

**A+ CUSTOMER SUCCESS**

Maximize return on your automation investment with the most comprehensive customer success program

**Learning and community resources**

Our customers become part of the most comprehensive RPA support ecosystem. Get product education and training with Automation Anywhere University, connect with thousands of RPA practitioners in the A-People online community, and have access to 24/7 technical support.

Automation Anywhere University

Our intelligent automation platform comes with world-class training

Learn More

Community Edition

Instantly start your RPA journey with the FREE Community Edition

Get Started Now

A-People Community

Join the fastest-growing RPA network in the world

Join A-People

**Get started  
with Cloud RPA**

CVE-2022-29856: Cloud Automation | Automation Cloud   | Automation Anywhere

A cross-site scripting (XSS) vulnerability exists in the "contact us" plugin for Subrion CMS <= 4.2.1 version via "List of subjects".

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2021-41948: 1-click stored XSS from admin panel to site · Issue #8 · intelliants/subrion-plugin-contact_us

Exclusive Threatpost research examines organizations’ top cloud security concerns, attitudes towards zero-trust and DevSecOps.

Exclusive Threatpost research examines organizations’ top cloud security concerns, attitudes towards zero-trust and DevSecOps.

Over the past 15 years, the cloud has blown business into a new age of networking, for solid reasons: Small businesses can get online fast, using the same tools as the big companies; large companies can scale up and down to match demand; and organizations of all sizes can quickly react to business fluctuations in terms of allocating resources and onboarding applications.

Click to Expand

As well, of course, over the past few years, the pandemic has made cloud resources crucial when it comes to supporting remote workforces.

_\[**Editor’s Note:** This article was originally published in the free Threatpost eBook “Cloud Security: The Forecast for 2022.” In it we explore organizations’ top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists. Please download the FREE eBook for the full story\]_

However, the mad dash to set up shop in the cloud can sometimes lead to stormy weather: There are, after all, beaucoup security challenges hidden behind the cloud’s promise of blue skies. As Prevailion CTO Nate Warfield enumerates, cloud marketplaces “are rife with pre-built virtual machine (VM) images containing unpatched vulnerabilities, overly permissive firewall settings, and even malware and coin miners. Cloud providers don’t take a proactive stance towards breach and compromise monitoring and, in many cases, won’t even pass on notifications to their customers which they have received from external researchers.”

Click to Expand

In order to put some quantifiable numbers around how organizations are faring in their journeys to the cloud, Threatpost polled 400+ readers. Topics included what security dangers respondents have encountered, and which ones they most fear they’ll run into. We also asked what security tools they plan to implement in the coming months.

When asked how confident respondents are that their organization had implemented sufficient cloud security, the majority felt bullish (68 percent). Worryingly, almost a quarter (24 percent) said they had no confidence in their organization’s cloud security. Just 8 percent said they feel “highly” confident.

**Lions & Tigers & Shared**

Click to Expand

**Responsibility**

Warfield’s list of challenges is just the tip of the iceberg, according to the poll results. There are also data-privacy and regulatory issues; the basic challenges of implementing cloud, such as staff shortages; the threat of cyberattack and data exposure; and plain old confusion.

Not everyone is sure who’s responsible for what when it comes to the sharedresponsibility model for public cloud deployments. And, a recurring question is what zero-access architecture for access management entails.

Just over half said they have embraced the shared-responsibility model for public cloud deployments (59 percent), but a quarter said they “don’t really understand it” and 12 percent said they did not. When asked if they’ve implemented a zero-trust architecture for access management, 53 percent said, “not yet but plan to,” and 17 percent said it confused them. Just 23 percent said yes. Six percent said absolutely not.

The notion of “DevSecOps,” where security is built into an organization’s cloudnative application lifecycle management, has more support: 71 percent noted that they’ve either adopted the strategy or soon plan to; but a fifth (21 percent) said they didn’t fully grasp what it means.

Meanwhile, organizations perceive there to be a lot of security pitfalls in the cloud. In its poll, Threatpost asked about a number of them, from API vulnerabilities to stolen cloud credentials, and container bugs to a smorgasbord of malware, including ransomware and cryptomining malware.

**Security Pitfall No. 1: Misconfigurations**

The biggest number of respondents – 27 percent – cited misconfigurations and data exposure as the biggest threat to their cloud deployments.

Click to Expand

While many respondents reported that they’ve either experienced a cyberattack on their cloud assets in the past 12 months (18 percent) or that they aren’t exactly sure (2 percent), an even larger portion – 38 percent – reported having experienced a data-exposure incident due to misconfiguration.

Poll respondents’ takes on the issues confirm what’s been a constant over the past few years; namely, misconfigured cloud deployments have been, and continue to be, rampant. In a 2020 survey of 2,064 Google Cloud buckets by Comparitech, 6 percent of all Google Cloud buckets were estimated to be misconfigured and left open to the public internet, for anyone to access their highly sensitive content.

Respondents ranked their other most-worrying cloud security threats as account compromise and stolen cloud credentials, (20 percent); API vulnerabilities (13 percent); advanced attacks against cloud providers (11 percent); ransomware (9 percent); cyberespionage/data theft (6 percent); distributed denial of service (DDoS, 5 percent); other malware (3 percent); and cryptojacking (2 percent).

**How You’re Protecting the Cloud**

Fortunately, efforts to secure the cloud aren’t static. Nor are the technologies. When asked what security tools they’re planning on implementing in the next 12 months, poll respondents listed a host of technologies that will hopefully fill in whatever holes they have in their cybersecurity umbrellas.

For better or worse, multifactor authentication (MFA) on all accounts was cited as the top tool already in use by the most respondents, at 12 percent. It’s important however not to fall into a false sense of security: In January 2021, the feds warned that cloud attacks were bypassing weaker two-factor authentication, such as schemes that use a code sent to a mobile phone via SMS.

Click to Expand

In terms of the top security tools that poll respondents plan to invest in, encryption for data at rest and data in transit (cited by 11 percent) took the lead, followed by identity access management (11 percent) and the adoption of self-managed security controls offered by cloud providers (9 percent).

The top most-cited planned upgrade to cloud security in the poll was user-behavior analytics: i.e., the use of artificial intelligence and machine learning to analyze large datasets and identify patterns that signify security breaches. This can be used to spot anomalous behavior that may indicate data exfiltration or other malicious activity that might otherwise slip by security tools and personnel. In all, 9 percent of respondents said their organizations have behavior analytics in the works in the coming year.

Click to Expand

The next set of top cloud-security tools on the to-do list were cloudconfiguration monitoring tools (cited by 8 percent), a single console to manage security across multiple clouds (7.5 percent), and MFA on all accounts (7.5 percent). Next up were risk assessment and auditing (7.5 percent), policybased data loss prevention (DLP) (7 percent) and data activity monitoring (7 percent).

**What’s Gumming Up the Works**

Some security tools are in place, while more are being implemented. But all of this work to secure the cloud is, well, work, and it often requires more hands than are available. As noted earlier, respondents cited a lack of skilled staff as the biggest challenge when it comes to securing the cloud, (19 percent).

Indeed, the (ISC)²’s 2021 Cybersecurity Workforce Study found that there are 2.72 million open cybersecurity positions globally, and that the worldwide cybersecurity workforce needs to grow 65 percent to effectively defend organizations’ critical assets. Out of those, cloud management and cybersecurity ranked highest when it comes to the biggest talent gaps that companies need to fill.

The next biggest challenge facing organizations is a lack of visibility into what data is held within cloud applications, cited by 13 percent. That’s followed by insufficient identity and access management controls at 11 percent.

It’s clear that cloud security is increasingly top-of-mind at organizations, which have big plans for addressing it. But it’s a proverbial journey, not a sprint. As Prevailion’s Warfield noted, it’s crucial to take it seriously, and the time is now to start implementing controls.

“Cloud networking isn’t inherently insecure,” he said. “But as the world shifts to a cloud-centric and hybrid cloud environment, particularly for remote workforces, organizations need to recognize that their cloud-security strategy, policies, controls and processes must be as robust as in a classic onpremises environment.”

**_Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our_** **_FREE downloadable eBook_****_, “Cloud Security: The Forecast for 2022.”_** **_We explore organizations’ top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists._**

Security Turbulence in the Cloud: Survey Says…

At least six different Russia-aligned actors launched no less than 237 cyberattacks against Ukraine from February 23 to April 8, including 38 discrete destructive attacks that irrevocably destroyed files in hundreds of systems across dozens of organizations in the country.
"Collectively, the cyber and kinetic actions work to disrupt or degrade Ukrainian government and military functions and

At least six different Russia-aligned actors launched no less than 237 cyberattacks against Ukraine from February 23 to April 8, including 38 discrete destructive attacks that irrevocably destroyed files in hundreds of systems across dozens of organizations in the country.

"Collectively, the cyber and kinetic actions work to disrupt or degrade Ukrainian government and military functions and undermine the public's trust in those same institutions," the company's Digital Security Unit (DSU) said in a special report.

The major malware families that have been leveraged for destructive activity as part of Russia's relentless digital assaults include: WhisperGate, HermeticWiper (FoxBlade aka KillDisk), HermeticRansom (SonicVote), IssacWiper (Lasainraw), CaddyWiper, DesertBlade, DoubleZero (FiberLake), and Industroyer2.

WhisperGate, HermeticWiper, IssacWiper, and CaddyWiper are all data wipers designed to overwrite data and render machines unbootable, while DoubleZero is a .NET malware capable of data deletion. DesertBlade, also a data wiper, is said to have been launched against an unnamed broadcasting company in Ukraine on March 1.

SonicVote, on the other hand, is a file encryptor detected in conjunction with HermeticWiper to disguise the intrusions as a ransomware attack, while Industroyer2 specifically targets operational technology to sabotage critical industrial production and processes.

Microsoft attributed HermeticWiper, CaddyWiper, and Industroyer2 with moderate confidence to a Russian state-sponsored actor named Sandworm (aka Iridium). The WhisperGate attacks have been tied to a previously unknown cluster dubbed DEV-0586, which is believed to be affiliated to Russia's GRU military intelligence.

32% of the total 38 destructive attacks are estimated to have singled out Ukrainian government organizations at the national, regional and city levels, with over 40% of the attacks aimed at organizations in critical infrastructure sectors in the nations.

In addition, Microsoft said it observed Nobelium, the threat actor blamed for the 2020 SolarWinds supply chain attack, attempting to breach IT firms serving government customers in NATO member states, using the access to siphon data from Western foreign policy organizations.

Other malicious attacks involve phishing campaigns targeting military entities (Fancy Bear aka Strontium) and government officials (Primitive Bear aka Actinium) as well as data theft (Energetic Bear aka Bromine) and reconnaissance (Venomous Bear aka Krypton) operations.

"Russia's use of cyberattacks appears to be strongly correlated and sometimes directly timed with its kinetic military operations targeting services and institutions crucial for civilians," Tom Burt, corporate vice president of customer security and trust, said.

"Given Russian threat actors have been mirroring and augmenting military actions, we believe cyberattacks will continue to escalate as the conflict rages. It's likely the attacks we've observed are only a fraction of activity targeting Ukraine."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Microsoft Documents Over 200 Cyberattacks by Russia Against Ukraine

Even the head of the country's online offensive is surprised by the successes—although they’re not without controversy.

When Russian president Vladimir Putin launched his full invasion of Ukraine in February, the world expected Moscow’s cyber and information operations to pummel the country alongside air strikes and shelling. Two months on, however, Kyiv has not only managed to keep the country online amidst a deluge of hacking attempts, but it has brought the fight back to Russia.

Even Ukrainian officials are surprised by how ineffective Russia’s digital war has been.

“I think that the root cause of this is the difference between our systems,” says Mykhailo Fedorov, Ukraine’s 31-year-old minister for digital transformation. “Because the Russian system is centralized. It's monopolized. And it leads to the scale of corruption and graft that is becoming increasingly apparent as the war continues.”

Speaking to WIRED from near Kyiv, Fedorov says his country has been preparing for this moment since Russia first invaded in 2014. “We have had eight years,” he says.

In recent weeks, Fedorov and the Ukrainian government have deployed the controversial face recognition program ClearviewAI to identify killed and captured Russian soldiers. They have deployed thousands of Elon Musk’s Starlink terminals to keep the country connected, even amid Russian bombardment. They have crowdsourced intelligence collection, letting ordinary Ukrainians report troop movements. And, perhaps most critically, they have beaten back aggressive attempts to knock offline their internet, energy, and financial systems.

Fedorov, who also serves as deputy prime minister, ran Ukrainian president Volodmyr Zelensky’s wildly successful election campaign in 2019, winning by nearly 50 points in the second round against incumbent Petro Poroshenko. He did so, in part, by leveraging authentic selfie videos to market the former comedian as an unconventional politician who eschews the normal trappings of politics. It’s exactly that style of video that Zelensky has uploaded regularly from the streets of Kyiv in recent weeks, offering a stark contrast with Putin’s stiff proclamations inside his palatial offices.

Ukraine has brought the war home to Russia in more cutting ways. In March, Reuters reported that Ukraine had purchased face recognition software from American company Clearview AI to identify the bodies of Russian soldiers killed in action—Kyiv later acknowledged that they were using this information to contact the families of the dead soldiers.

“We are pursuing two goals here,” Fedorov says. “First is: We are notifying their relatives, and telling them, basically, that it's not a very good idea to go to war with Ukraine. So that serves as a cautionary tale. And secondly, it's a humanitarian purpose—just telling them where their relatives, or friends, or children are so that they don't try to get this information from the Russian authorities. Because, more often than not, they can't.”

That decision hasn’t come without criticism. Contacting the families of soldiers killed in battle could be seen as harassment. Others have pointed out that being deployed in Ukraine is a PR coup for ClearviewAI, which has been embroiled in scandal over its liberal use by police forces across North America.

Fedorov, for his part, says Russia “can spin this whatever way they want. But the fact of the matter is, there are tens of thousands of Russians dying in Ukraine, and we are just providing this information to their families because that serves, among other things, a humanitarian purpose.”

There is a propaganda element to Kyiv’s use of face recognition technology as well.

“This facial recognition plays to our, let's say, to our advantage in the information space,” Fedorov says. Moscow has projected the image of a professional and volunteer fighting force. “We're trying to say that, for example, Russia is sending conscripts … we are proving that and justifying that with a lot of factual information. We can give you a list of hundreds of people who are 18 and 19 years old, with their names and with their birth dates and how and where specifically, they were conscripted. So that gives some substance to our claims.”

Fedorov says the utility goes beyond just identifying the dead.

“One interesting case study of how we used Clearview AI,” Fedorov says. “There was a man who was found in a Ukrainian hospital, claiming that he was a Ukrainian soldier who suffered from shell shock or some kind of trauma and that he forgot everything. And he was claiming that he was Ukrainian. So the doctor sent the picture to us, and we were able to ID him in a matter of minutes. We found his social network profile, and we established that he was Russian and, of course, he was brought to responsibility.”

Ukrainian officials have said that the frequency of Russian cyberattacks tripled immediately prior to the war, and they have aggressively targeted critical infrastructure since the war began.

But Viktor Zhora, deputy head of Ukraine's State Service of Special Communications and Information Protection, says Moscow may have maxed out its ability to launch attacks. “Russian cyber operations likely reached their full potential," he says.

Zhora told WIRED that years of training, exercises, and cooperation with NATO have made Ukraine far more resilient to cyberattacks. Some attacks are easier to defend against than others—as we spoke, Zhora said he was monitoring an active attack on the state administration of Lviv, which had been publicly announced by Russia hours earlier.

But Zhora stresses that while it is wrong to overestimate how powerful Russia’s cyber capabilities are, it would also be wrong to underestimate its more “sophisticated” operations. “We should continue to observe their potential, like Sandworm, like a Fancy Bear, like Gamaredon, many other groups that are still active, and still very dangerous,” he says, referring to a number of Russian government hacker groups.

Brandon Valeriano, a senior fellow at the Cato Institute who specializes in cyber operations, says offensive cyber operations don’t mesh well with traditional, kinetic warfare. At best, he says, “they’re enabling, they’re complimentary … they don’t transform it.”

Valeriano points to a slowdown in the tempo of Russian-backed cyberattacks targeting the United States as evidence that Moscow’s capacity isn’t as expansive as some have assessed. “They’re not organized for offensive cyber operations in the way that we think they are,” he says.

Kyiv’s ability to beat back against those operations, Valeriano says, can be attributed to “intense collaboration between Ukraine, Western powers, and NATO.” Indeed, Five Eyes signals intelligence agencies have both been providing training and support for Ukraine’s cyber defense and have been sharing threat intelligence. (Zhora stresses that information-sharing is a “two-way road.”)

Ukraine has been able to defend itself, both in cyberspace and in an outright propaganda war, because it has managed to stay online. For that, Fedorov credits a decentralized network of internet service providers and Elon Musk.

“It wouldn't be possible to restore 10 km of cable connection between villages in Chernigiv region after serious battles so quick,” he tweeted earlier this month. “Normally it takes few months.” But with one Starlink satellite, he says, five villages were reconnected in a matter of days.

“We have received over 10,000 Starlink terminals to date, and we use those where we have blind spots with, let's say, more traditional coverage,” Fedorov says. “So we are trying very hard to restore and protect our landline and mobile connections.”

Like any physical infrastructure, those Starlink terminals—which have even managed to keep the embattled city of Mariupol online—have been vulnerable to Russian shelling. Zhora says Russia has managed to hit some of those terminals but has not managed to target the system as a whole. “I suppose that it was coincidence that some shells hit these terminals and locations,” Zhora says. “It's not easy to identify and to attack them systematically.”

Keeping Ukrainians online is a clear strategic objective for Ukraine. Photo and video evidence of the brutality being doled out by the Russian army has galvanized Western support for Kyiv and led to an unprecedented level of support from NATO to help the country defend itself.

It’s also letting regular Ukrainians contribute to the collective defense.

During Zelensky’s presidential campaign, Fedorov made particular use of the messaging app Telegram, which is also popular with Russian intelligence operatives. In recent weeks, the app has been leveraged to collect evidence of possible war crimes in towns like Bucha, but also to enable Ukrainians to upload details of Russian troop movements. A Telegram bot collects photos and videos of Russian military movements, verifying Ukrainians through their digital ID,: a project spearheaded by Fedorov.

“Regular internet users—so, basically, civilians—they can go and post photos of what's happening in Ukraine,” Fedorov says.

The Ukrainian security ministry said in a tweet in March that those crowdsourced reports have directly contributed to drone strikes against Russian tanks.

“There are actually very many ways that regular citizens can contribute to the effort,” Fedorov says. One particularly “successful vector,” he says, is basically trolling. His government has been sending users “into the comment sections of posts by some very high traffic Russian influencers and just trying to talk sense into people and telling them that there's actually a war in Ukraine.”

Fedorov is also responsible for Ukraine’s IT Army, a network of cyber activists and hackers who have targeted Russian systems. In recent weeks, they have dumped huge troves of personal information from large Russian corporations.

Russia’s poor information security has also been a significant factor in their fumbled invasion.

A huge number of technology providers, from cybersecurity firms to cloud hosting services, have pulled out of Russia since the start of the war—either due to sanctions or to a concerted push from Fedorov and others in the Ukrainian government. “If the world were able to stop the delivery of these products to Russia, we see that they will have no infrastructure even to organize attacks,” Zhora says.

Russia’s attempts to knock out mobile and internet connections in Ukraine have mired their own communications. Their encrypted radio platform, Era, has been unreliable, leading Russian soldiers to opt for unencrypted platforms. Numerous outlets have reported details of conversations between Russians troops, their commanders, and their families—some even admitting to possible war crimes over unencrypted channels.

While Fedorov’s reform mission has played a large role in modernizing Ukraine, support from the West has certainly helped. SpaceX and the United States have sent some 5,000 Starlink terminals. Fedorov says the European Union has provided some 10 million euros toward computer systems and workstations.

Asked what Ukraine needs as the war wears into its third month, Fedorov mentions satellite equipment, including more Starlink terminals, as well as laptops, tablets, and other tools “to put our civilian infrastructure back online.” He also jokes: “Let's say that the most surefire way to keep us online for a very long time to come is to provide us with artillery, tanks, and warplanes—because that will effectively end the war. And that will remove the problem altogether.”

More Great WIRED Stories

*   📩 The latest on tech, science, and more: Get our newsletters!
*   Sober influencers and the end of alcohol
*   For mRNA, Covid vaccines are just the beginning
*   The future of the web is AI-generated marketing copy
*   Keep your home connected with the best wi-fi routers
*   How to limit who can contact you on Instagram
*   👁️ Explore AI like never before with our new database
*   🏃🏽‍♀️ Want the best tools to get healthy? Check out our Gear team’s picks for the best fitness trackers, running gear (including shoes and socks), and best headphones

Ukraine’s Digital Battle With Russia Isn’t Going as Expected

The AI startup releases new threat signatures to expand the computer vision platform’s ability to identify potential physical security incidents from camera feeds.

A comprehensive cybersecurity strategy should include physical security. Adversaries don't need to worry about compromising a corporate device or breaching the network if they can just walk into the office and connect directly into the network.

CISOs are increasingly including physical security as part of their strategic investments, says Stephanie McReynolds, head of marketing at Ambient.ai. Organizations are spending a lot of money and effort to lock down cybersecurity, but all of those security controls are useless if the adversary can just enter a restricted space and leave with equipment.

"The last mile of cybersecurity is physical location," McReynolds says.

Ambient.ai uses computer vision technology to solve physical security problems, such as monitoring who is entering the building or a restricted area and monitoring all the video feeds coming from the camera network. Computer vision is a subcategory of artificial intelligence dealing with how computers can process images and videos and derive an understanding of what they are seeing. The idea behind computer vision is to provide computers with eyes to see the same things humans see, and training the algorithm to think about what the eyes saw.

In the case of Ambient.ai, the company's computer vision intelligence platform serves as "the brain" behind physical access control systems, such as security cameras and physical sensors (such as door locks and entry pads). This week, the company expanded the catalog of behaviors the computer vision platform can recognize with 25 threat signatures.

**Computers Help Humans See**  
Traditionally, physical security involves staff in the security center monitoring alerts from the sensors and watching video feeds to try to detect when something untoward is happening. They may receive alerts that a door is open, or that a person swiped the access card to get into the building after-hours. There might be camera footage of someone loitering for quite some time in the building lobby, or a person entering a restricted area carrying an unauthorized laptop. Humans are expected to detect and respond to security incidents, but between fatigue and too much information to process, things can get missed.

"One individual is trying to watch 50 camera feeds at once. This doesn't work," McReynolds notes.

There have been three waves in computer vision, McReynolds says. The first wave was basic detection — that there was an object there, but no insight into what it was. The second wave added recognition, so it knew what it was looking at, such as whether it was a person or a dog. But it was a limited form of recognition, and there was a lot that was still unknown about the object it was looking at. The third wave, the current one, takes in context clues from the broader scene to understand what is happening. Just as a human would look at details around the object to understand what is happening, such as whether the person is sitting or if the person is outside, computer vision technology is now capable of collecting those details.

Ambient.ai breaks down the image or video into "primitives" — which refers to components such as interactions, locations, and objects seen — and constructs a signature to understand what is happening. A signature may be something like a person standing in the lobby for a long time not interacting with anyone, for example.

The new threat signatures expand the platform's ability to catalog over 100 behaviors, McReynolds says.

**Recognizing What Is an Incident**  
The Ambient.ai Context Graph assesses three risk factors to determine next steps: the context of the location, the movements that create behavior signatures, and the type of objects interacting in a scene. Based on these factors, the platform can dispatch security personnel to handle the incident, validate risks, or trigger proactive alerts. With the Context Graph, analysts can also tell which alerts are not security incidents, such as a door that didn't latch properly, and close the ones that don't require any action.

"A person holding a knife running in the kitchen isn't a security incident," McReynolds says. "A person holding a knife running in the lobby, on the other hand, is a security incident."

VMware, an Ambient.ai customer, claims that 93% of its alerts each year were false positives. By integrating Ambient.ai's platform with its physical access control systems, VMware's security teams didn't have to deal with those alerts and were able to focus their attention on dealing with the remaining 7% of alerts to stop security incidents on its campus.

McReynolds described a potential workplace violence scenario, where a former employee tried to use their badge to enter the building. The invalid badge in and of itself is not a security threat, but paired with security footage of the former employees sitting in the lobby and not interacting with anyone, there are enough reasons to be concerned. The alert would then be prioritized to send a guard to approach the individual.

"Sometimes it takes just a conversation and the person will stand down," McReynolds says.

All that is accomplished without resorting to facial recognition, which brings a host of privacy implications. Ambient.ai uses machine learning, pattern-matching, and computer vision to make decisions about what is important.

**Computer Vision in Security**  
Computer vision technology is useful in several security contexts because it can be used to detect manipulations that are less visible to the human eye, says Fernando Montenegro, senior principal analyst at Omdia. For example, the technology can be used to identify spoofed logos and websites used in account takeovers and ecommerce fraud. Another interesting use case is to represent binary samples as images, and then using imaging classification techniques to classify them as malicious or not, he says.

One aspect of computer vision is the capability to analyze "datasets that are not originally 'images' themselves, but can be encoded as such," Montenegro says.

Humans have the capacity to say something doesn't look right, even if they can't specifically point to something that is wrong, says Gunter Ollmann, CSO of Devo. An intriguing application of computer vision research is to train the algorithm to be able to detect something is wrong because of the way it looks, he says. By turning source code into an image, the machine can analyze the structure and other patterns to detect potential issues without having to analyze the code line by line. This kind of analysis can be used for malware analysis, by color-coding different categories of function and analyzing the image to get an understanding of what the application is doing.

There are several computer vision startups tackling cybersecurity issues. Hummingbirds AI uses facial biometrics to authenticate users and grant access to the device. When the computer "sees" a person who is not authorized that is close to the screen, the tool blocks access. Pixm relies on computer vision to identify and stop spear-phishing attacks. The platform runs in the browser window and is available from the moment the user clicks on a link until the campaign is disrupted.

"We are now in an exciting era where \[the machine\] can collaborate with the human," Ambient.ai's McReynolds says, regarding advancements in computer vision.

Ambient.ai Expands Computer Vision Capabilities for Better Building Security

Kremlin-linked actors have launched multiple assaults since invasion began

Kremlin-linked actors have launched multiple assaults since invasion began

  

A new report from Microsoft has revealed that at least six separate Russian nation-state actors have launched damaging cyber-attacks against Ukraine since the invasion began earlier this year.

The study (PDF), released yesterday (April 27), detailed how Microsoft researchers have tracked at least 237 “cyber operations” originating from Russia.

These attacks “have not only degraded the systems of institutions in Ukraine but have also sought to disrupt people’s access to reliable information and critical life services on which civilians depend, and have attempted to shake confidence in the country’s leadership”, Microsoft states.

It comes more than two months after Russian troops invaded neighboring Ukraine, sparking the beginning of a war that has so far claimed tens of thousands of lives.

**Direct hits**

Microsoft has observed these cyber-attacks as being “strongly correlated and sometimes directly timed” with Russia’s kinetic military operations targeting services and institutions crucial for civilians.

“For example, a Russian actor launched cyber-attacks against a major broadcasting company on March 1, the same day the Russian military announced its intention to destroy Ukrainian ‘disinformation’ targets and directed a missile strike against a TV tower in Kyiv,” the report details.

As many as 32% of destructive attacks directly targeted Ukrainian government organizations at the national, regional, and city levels, while more than 40% of attacks were aimed at organizations in critical infrastructure sectors that could have negative second-order effects on the Ukrainian government, military, economy and civilians.

A diagram detailing some of the nation-state actors identified by Microsoft

“At least six known or suspected Russian cyber threat groups in addition to other unattributed threat actors are engaged in activities that range from reconnaissance and phishing for initial access to pervasive lateral movement, data theft, and data deletion,” according to Microsoft.

“The multiple phases of their operations suggest these actors are positioning themselves for continued compromises and impact on Ukrainian networks for the duration of this conflict and beyond.”

Nation-state groups mentioned in the report include GRU unit 74455, aka Sandworm, also known as Iridium, which Microsoft claims is responsible for the malware FoxBlade wiper, CaddyWiper, and Industroyer2. GRU is Russian military intelligence.

Read more of the latest security news from Ukraine

Also mentioned in the report is Nobellium, aka APT29, which is thought to be led by Russia’s Foreign Intelligence Service, which has been seen using password spraying and phishing attacks against Ukrainian and NATO member diplomatic targets.

Microsoft stated that these attacks used a variety of techniques to gain initial access to their targets including phishing, use of unpatched vulnerabilities, and compromising upstream IT service providers.

The tech giant also noted how the cyber-attackers often modify their malware with each deployment to evade detection. “Notably, our report attributes wiper malware attacks we previously disclosed to a Russian nation-state actor we call Iridium,” Microsoft added.

READ MORE Data wiper deployed in cyber-attacks targeting Ukrainian systems

The Windows-specific data wiper appeared on “hundreds of machines”, according to telemetry from information security firm ESET, in the days following the invasion.

The wiper abuses legitimate drivers from the EaseUS Partition Master software in order to corrupt data.

Although primarily directed towards Ukraine, the ‘HermeticWiper’ malware strain has also been detected in the Baltic states of Latvia and Lithuania.

Date stamps on the malware indicate that it was compiled two months before the invasion – evidence that the cyber-attack was premeditated.

**Continued escalation**

“Given Russian threat actors have been mirroring and augmenting military actions, we believe cyber-attacks will continue to escalate as the conflict rages,” Microsoft concluded.

“Our report includes specific recommendations for organizations that may be targeted by Russian actors as well as technical information for the cybersecurity community.

“We will continue to provide updates as we observe activity and believe we can safely disclose new developments.”

The full report (PDF) contains more information, including a detailed timeline of individual attacks targeting Ukraine.

DON’T MISS Ukrainian ISP used by military disrupted by ‘powerful’ cyber-attack

<span>Microsoft report unmasks at least six Russian nation-state actors responsible for cyber-attacks against Ukraine</span>

Scammers are disguising their phishing page as a donation hub for Ukrainian refugees.
The post Fake USA for UNHCR site wants your Ukraine donations in Bitcoin appeared first on Malwarebytes Labs.

Since Russia began invading Ukraine in late February, many organizations have set up donation pages to aid the most heavily affected: Families who were forced out of their homes due to bombings and children separated from grown-ups who decided to stay and take arms.

We’ve also seen a considerable amount of scams preying on those who want to bring help to the helpless. During these times of struggle, donation and phishing scams abound, too.

**There’s a spam campaign encouraging you to donate to or support Ukraine**

Our email honeypot snagged dozens of samples belonging to a campaign that spoofed an email that receivers were meant to believe came from the United Nations or United Humanitarian.

Our Threat Intelligence Team took a closer look and found that the actual senders are work email addresses of individuals linked to legitimate services in Bangladesh. The emails appeared to be compromised.

    Hello
    
    We stand with our friends and colleagues in Ukraine during this heinous assault on their freedom, their independence and their lives. We are actively supporting our resilient team and are doing what we can to insure their safety, click on the Link to see more updates or photos and videos of the invasions from Russian. Donate and Support Ukrainian now to save lives.
    
    Visit: {redacted URL}
           {redacted URL}
    
    Thanks for your support.
    Regards
    UNITED HUMANITARIAN

Clicking the links in the email body, or copying and pasting them to your browser, opens this legitimate looking website:

We inspected the URL using a domain registrant and found it was created on April 19 2022, two days before we started receiving the spam emails.

**Be extra vigilant with “mirrored” sites**

The scam page looks slick, professional, and not what you may expect from a bogus donation portal. There’s a good reason for this. The entire site has been copied from _unrefugees.org_ using HTTrack, a free website copier.

_This is inside the code of the fake refugee website helping Ukraine families flee. Website copiers can make a fake site a spitting image of its original counterpart._

_Unrefugees.org_ is the USA for UNHCR (United Nations High Commissioner for Refugees). It is a Washington-based, not-for-profit organization whose mission is to provide food, shelter, and medical care to those fleeing their homes due to conflict, persecution, or violence.

While the fake site mirrors the legitimate site perfectly, it has one major exception: They switched out the genuine donation page for one of their own. The real site allows you to donate monthly via credit card, Google Pay, or PayPal. Donations made to the fake site, however, are made through Bitcoin.

_This is the form donors would have to fill in._

We checked multiple sources for information on the Bitcoin address provided. It doesn’t appear in scam databases or fraud reports and has neither sent nor received funds. This, combined with the site now failing to resolve, hopefully means the scammers got nowhere with their phishing attempt.

**How to tell if a donation site is what it says it is**

It’s very difficult to know at a glance which sites are real. This is especially true where donations are concerned. However, there are tools available to check.

You can check for registered charities online in most cases, and the genuine site is listed here against the BBB (Better Business Bureau) record. You can find similar types of checks in other countries.

There are very good reasons for making speedy donations. Even so, taking the time to ensure the site you’re donating to is the real deal is the best course of action for both you and the people you’ll be helping.

Stay safe out there!

Tag

#intel