The Week in Security: Coalition takes down Russia's Snake espionage tool, GitHub plugs API leaks

Welcome to the latest edition of The Week in Security, which brings you the newest headlines from both the world and our team across the full stack of security: application security, cybersecurity, and beyond. This week: U.S. and other countries take down Russia’s Snake malware used to conduct global espionage. Also: GitHub now auto-blocks the leaks of API keys and tokens for all repos.

This Week’s Top Story

U.S. government and allies neutralize Russian intelligence Snake malware used for global espionage

This past Tuesday, the U.S. government announced a court-authorized disruption of a global network compromised by an advanced malware strain known as Snake, which was used as an espionage tool by Russia’s Federal Security Service (FSB). Snake was developed by Russian state-sponsored group Turla, and was designed as a covert tool for long-term intelligence collection on high-priority targets, allowing the group to create a peer-to-peer (P2P) network of compromised systems across the globe.

In coordination with multiple foreign governments, the neutralization of the P2P network was a part of an effort known as Operation MEDUSA, and was completed using a tool created by the FBI codenamed PEGASUS. PEGASUS permitted the Operation to issue commands to the Snake malware, causing it to “overwrite its own vital components” on infected machines. These commands included self-destruct instructions, which caused the malware to disable itself, without damaging the victim’s computer or its legitimate applications.

Turla has been using the Snake malware for quite some time, says the Justice Department: "For nearly 20 years, this unit [...] has used versions of the Snake malware to steal sensitive documents from hundreds of computer systems in at least 50 countries, which have belonged to North Atlantic Treaty Organization (NATO) member governments, journalists, and other targets of interest to the Russian Federation." In the U.S. specifically, the Snake malware targeted education, small businesses, media organizations, critical infrastructure, government facilities, finance, and more.

News Roundup

Here are the stories we’re paying attention to this week…

Sophisticated DownEX malware campaign targeting central Asian governments (The Hacker News)

Government organizations in Central Asia are the target of a sophisticated espionage campaign that leverages a previously undocumented strain of malware dubbed DownEx.

GitHub now auto-blocks token and API key leaks for all repos (BleepingComputer)

GitHub is now automatically blocking the leak of sensitive information like API keys and access tokens for all public code repositories. This feature proactively prevents leaks by scanning for secrets before 'git push' operations are accepted, and it works with 69 token types detectable with a low "false positive" detection rate.

Free tool unlocks some encrypted data in ransomware attacks (DarkReading)

Researchers have released a free tool on GitHub that they say can help victims of intermittent encryption attacks recover data from some types of partially encrypted files — without having to pay a ransom for the decryption key.

Why Honeytokens are the future of intrusion detection (The Hacker News)

As told by Mandiant’s CEO Kevin Mandia: "Honeypots, or fake accounts deliberately left untouched by authorized users, are effective at helping organizations detect intrusions or malicious activities that security products can't stop".

Ransomware attack hits U.S. shipyard (BleepingComputer)

The shipyard that builds the US Navy’s Freedom-class Littoral Combat Ship and the Constellation-class guided-missile frigate has suffered a ransomware attack, delaying production across the shipyard. The Fincantieri Marinette Marine company has said that it has no evidence that employees’ personal information was affected, although this cyber security attack has disrupted computer systems at the defense shipbuilder.

Featured image: The FSB building in Russia