The Week in Cybersecurity: NATO creates cyber rapid response

Welcome to the The Week in Cybersecurity, which brings you the latest headlines from both the world and our team at ReversingLabs about the most pressing topics in cybersecurity. This week: International relations intersects with cybersecurity, learn how to leverage YARA rules, plus new developments on AstraLocker 2.0.

This week’s top story

As tensions mount, NATO creates cyber rapid response

The war in Ukraine is well past the 100-day mark, and, like most other aspects of the conflict, the battlefront in the cyber conflict between the countries has shifted over time. As with its kinetic activities, Russia began its invasion with a 'shock and awe' campaign of cyber attacks. That included the hack of Viasat, a U.S. satellite communications firm used by Ukraine's military. It also included the release of a series of custom "wiper" malware programs, akin to the notorious NotPetya wiper that devastated Ukraine's public and private sector in 2017. (Check out our post from March on Hermeticwiper and Isaacwiper, two new wiper variants seen in the Ukraine conflict.)

Those initial forays were a mixed bag for Russia, which faltered badly in the early days of the war. Since then, however, the cyber component of the conflict has devolved into tit-for-tat attacks between Russia, Ukraine and even Ukraine's allies on both sides of the Atlantic. A report from Microsoft documented Russian cyber attacks on 128 organizations in 42 countries outside Ukraine in recent months, with the U.S., Poland, the Baltic nations, Denmark, Norway, Finland, Sweden and Turkey in Moscow's sites. In the meantime, hacking groups sympathetic with Ukraine launched attacks that delayed the St. Petersburg International Economic Forum, which some refer to as the Russian DAVOS. More recently, the Russian firm ROSCOSMOS was hacked after posting satellite images of NATO bases.

With cyber rapidly declaring itself as a full fledged domain of conflict, NATO is moving to solidify its role in countering Russian attacks on its members. As Politico reported, NATO members meeting in Madrid agreed to create a “virtual rapid response cyber capability” to counter Russian cyberattacks in Ukraine, That comes amid concerns that Moscow may target the United States and other NATO countries in retaliation for assistance to Ukraine. Under the new plan, NATO will act as a coordination platform for offering national assets to build and exercise a virtual rapid response cyber capability to respond to a serious cyber-attack. The United States will offer robust national capabilities as part of this support network, according to a statement on the summit released by the Whitehouse.

Get software security key takeaways from a survey of 300+ professionals Download the related report: Flying Blind: Firms Struggle to Detect Software Supply Chain Attacks

The stories we’re paying attention to this week

Cybersecurity Researchers Launch New Malware Hunting Tool YARAify (Infosecurity Group)

A group of security researchers from Abuse.ch and ThreatFox launched a new hub for scanning and hunting files. Dubbed YARAify, the defensive tool is designed to scan suspicious files against a large repository of YARA rules.YARAify (yaraify.abuse.ch) can scan files using public YARA rules and integrate both public and non-public YARA rules from Malpedia, which is operated by the Fraunhofer Institute in Germany.

Over 900K Kubernetes Instances Found Exposed Online (BleepingComputer)

Over 900,000 misconfigured Kubernetes clusters were found exposed on the Internet to potentially malicious scans, some even vulnerable to data-exposing cyberattacks.

Latest OpenSSL Version is Affected by a Remote Memory Corruption Flaw (Security Affairs)

Security expert Guido Vranken discovered a remote memory-corruption vulnerability in the recently released OpenSSL version 3.0.4. The library was released on June 21, 2022, and affects x64 systems with the AVX-512 instruction set.

AMD targeted by RansomHouse, claimed to have stolen 450 GB of data (The Register)

If claims hold true, AMD has been targeted by the extortion group RansomHouse, which says it is sitting on a trove of data stolen from the processor designer following an alleged security breach earlier this year.

LockBit 3.0 introduces important novelties, including a bug bounty program (Security Affairs)

The Lockbit ransomware operation has released LockBit 3.0, which has important noveòties such as a bug bounty program, Zcash payment, and new extortion tactics. The gang has been active since at least 2019 and today it is one of the most active ransomware gangs.

In case you missed it

Here are the posts that went live this week from the ReversingLabs Blog and develop.secure.software.

Smash-and-grab: AstraLocker 2.0 pushes ransomware direct from Office docs

ReversingLabs recently discovered instances of the AstraLocker 2.0 malware distributed directly from Microsoft Word files used in phishing attacks.

SBOM Facts: Know what’s in your software to fend off supply chain attacks

Not knowing what’s in your food can have consequences. The same is true for software. That’s why you need a software bill of materials (SBOM) to minimize software security risk.

Copilot's rocky takeoff: GitHub ‘steals code’

Should you use GitHub Copilot? “No,” say open-source fans. “Heck no,” say lawyers. “Yeah,” say the sort of devs who do Stack Exchange copypasta without a second thought.