The Week in Security: Ukraine APT attacks tied to Russia, critical eye placed on AI-generated software

This week: Microsoft finds that the APT group that is attacking Ukraine is in cahoots with the Russian government. Also: A critical look at AI-generated software.

This Week’s Top Story

Russian government in cahoots with APT targeting Ukraine, Microsoft finds

This week, Microsoft shared a new development regarding the cyberfront of Russia’s war on Ukraine, which demonstrates that Russian government officials are collaborating with cyberthreat actors who are targeting Ukrainian organizations. The advanced persistent threat (APT) group, dubbed by Microsoft “Cadet Blizzard,” has been in cahoots with Russia’s General Staff Main Intelligence Directorate (GRU) to launch malware wiper attacks on Ukrainian organizations since before the start of Russia’s physical advance on Ukraine in February 2022.

Malware wiper strains such as HermeticWiper, which have been a common attack method used in the Russo-Ukrainian War, perform exactly as their name suggests: Once this kind of malware infects a computer system, it will permanently wipe data and services from the network, causing massive disruption to targeted organizations. In this case, Cadet Blizzard created WhisperGate, a wiper malware designed to delete the master boot record (MBR) from targeted Ukrainian computers, with sign-off and support from Russia’s GRU.

Not only has Cadet Blizzard been linked to this malware wiper campaign targeting Ukraine, but the APT group has also been linked by Microsoft to other malicious efforts, such as “destructive attacks, espionage, and information operations” in Ukraine, greater Europe, and Latin America that target government organizations and information technology providers. Microsoft researchers also believe that Cadet Blizzard and, by extension, the Russian government are going after software supply chains by targeting software developers, using a “compromise one, compromise many” technique.

These findings from Microsoft demonstrate that the Russian government has been prioritizing offensive attacks in both the cyber and kinetic fronts of the war and has been willing to work with skilled cybercriminals to make these attacks happen. This sets a precedent for how cyberwarfare is conducted, which in the Russo-Ukrainian War has consisted of Russian government officials allowing and enabling APT groups to conduct malicious campaigns pointed at the nation-state’s adversaries.

News Roundup

Here are the stories we’re paying attention to this week …

A critical look at AI-generated software (IEEE Spectrum)

The ongoing AI revolution promises to revamp software development, making it far easier for people to program, debug, and maintain code. This development sparks an important question: Are there any concerns with AI-written code and, in particular, with the use of natural-language systems such as ChatGPT for this purpose? This article looks carefully at this question, both to place AI-powered programming in context and to discuss the potential problems and limitations that go along with it.

Cybercriminals Using Powerful BatCloak Engine to Make Malware Fully Undetectable (The Hacker News)

A fully undetectable (FUD) malware obfuscation engine named BatCloak has been in use since September 2022 to deploy various malware strains while persistently evading antivirus detection. The samples grant "threat actors the ability to load numerous malware families and exploits with ease through highly obfuscated batch files."

Barracuda ESG zero-day attacks linked to suspected Chinese hackers (Bleeping Computer)

In the continued case of the Barracuda email flaw left open for months, it’s suspected that a pro-China hacker group tracked by Mandiant as UNC4841 has been linked to data-theft attacks on Barracuda ESG (Email Security Gateway) appliances using the now-patched zero-day vulnerability.

Every Signature Is Broken: On the Insecurity of Microsoft Office’s OOXML Signatures (Usenix Security Symposium)

“We tested the attacks against different Microsoft Office versions on Windows and macOS, as well as against OnlyOffice Desktop on Windows, macOS and Linux. All tested Office versions are vulnerable. … The attacks’ impact is alarming: attackers can arbitrarily manipulate the displayed content of a signed document, and victims are unable to detect the tampering. Even worse, we present a universal signature forgery attack that allows the attacker to create an arbitrary document and apply a signature extracted from a different source.”

New Supply Chain Attack Exploits Abandoned S3 Buckets to Distribute Malicious Binaries (The Hacker News)

In what's considered to be a new kind of software supply chain attack aimed at open-source projects, it has emerged that threat actors could seize control of expired Amazon S3 buckets to serve rogue binaries without altering the modules themselves.