In today’s episode, we explore the FlyingYeti campaign exploited by using a WinRAR vulnerability (CVE-2023-38831) to deliver COOKBOX malware in Ukraine, detailed by Cloudflare’s Cloudforce One: https://thehackernews.com/2024/05/flyingyeti-exploits-winrar.html. Next, we discuss the unprecedented mystery malware attack that destroyed 600,000 routers from ISP Windstream, reported by Black Lotus Labs: https://arstechnica.com/security/2024/05/mystery-malware-destroys-600000-routers-from-a-single-isp-during-72-hour-span/. Finally, we dive into the Trend Micro study on CISOs facing pressure from corporate boards to downplay cyber risk: https://www.cybersecuritydive.com/news/cisos-pressure-boards-downplay-cyber-risk/717497/.
Tags: WinRAR, COOKBOX, FlyingYeti, Cloudflare, cyber warfare, Ukraine, phishing attacks, malware, routers, ISP, threat actor, Trend Micro, CISOs, cyber risks, organizational security
Search Phrases:
- WinRAR vulnerability explained
- COOKBOX malware detection and removal
- FlyingYeti cyber attack details
- Cloudflare security advisories
- Protecting against phishing attacks
- Malware impact on routers
- ISP security breach cases
- Trend Micro cybersecurity reports
- CISO corporate board pressure
- Organizational cybersecurity best practices
May31
An unknown threat actor recently unleashed a devastating malware attack that obliterated over 600,000 routers from a single internet service provider in just 72 hours.
Forcing the company to replace all of the affected devices, leaving their patrons in digital darkness.
What the heck happened here and how will we recover from this?
Under mounting pressure from corporate boards, nearly four and five chief information security officers or CSOs are being pushed to downplay the severity of cyber risks.
As revealed by a recent trend micro study..
How can CSOs navigate the pressure from corporate boards while also maintaining robust security posture?
And finally, sometimes I pick stories simply because the name is too good. So flying Yeti is exploiting a WinRAR vulnerability to deliver cookbook malware in Ukraine marking another alarming chapter in Russia, aligned cyber warfare.
You’re listening to the daily decrypt..
And just over 72 hour time period malware called Chalubo
Rendered more than 600,000 routers permanently unusable.
All of these routers belonged to a single internet service provider named Windstream.
And this ISP is now forced to replace every single one of these routers.
Now that is not a small task. And a lot of these routers live in rural areas, which would be a long drive for.
ISP technicians to make.
And there were only so many ISP technicians. Out there. Sure they can ship you these routers, but that’s going to take a long time because no supply chain is equipped to handle a random 600,000.
Product order.
Overnight. So who knows how long these people will be without internet?
The specific routers that were affected are action tech T 3,200 and Sage com.
And users are reporting a static red light on their routers, which indicates failure.
Wow. Black Lotus labs utilize the census search engine.
To track these affected router models and noted that.
Throughout that 72 hour time period.
There was a 49% drop in connections for these routers. So almost half of these routers on the public internet.
Went offline.
And I had mentioned that a lot of these routers lived in rural areas.
But the spread of this disaster is, is pretty wide and vast because.
This internet service provider provided service specifically to.
Rural areas. And what is out in rural areas, a lot of farming and agriculture. So who knows what sort of impact this will have? Over.
Our food source in the coming months.
‘ cause even tractors nowadays rely on wifi.
Which is a whole nother wormhole. That I won’t get to on this episode, but if you’re interested, go ahead and look up John Deere wifi.
And cloud connectivity because I believe they actually locked down these devices. And you have to be connected to the cloud to use them or something crazy like that.
And this will also affect emergency services, which are few and far between. Out in rural areas already.
Which is just unfair.
But I hope this ISP is doing okay. And has a solid disaster recovery plan for how to get.
Their patrons back online. It’s. As far as I can tell, pretty much not feasible to get 600,000 devices out to patrons in any sort of reasonable amount of time.
So.
Hopefully.
They can provide their patrons with maybe Amazon gift cards and instructions on how to connect. Routers purchased on Amazon or best buy to the ISP network or, or some, some sort of creative solution to get internet back online.
As of right now, researchers have not identified how the routers were initially infected. Some possible methods could include exploiting, unknown vulnerabilities or abusing weak credentials.
Or even maybe accessing exposed administrative panels.
And I’m sure we’ll hear some more from security researchers in the coming weeks on how this happened. But it’s pretty hard to pin down because routers are widely. Insecure. And unpatched and it could be a myriad of ways.
That they were compromised. And on that note, how do you prevent this? Make sure your routers are regularly updated. It is probably not updating itself. So you’re going to have to go in and you’re going to have to find.
That update button. I’m sorry. That totally sucks, but just do it. This is about the worst case that can happen other than being spied on. And in fact, I was actually traveling out of town and staying with a friend recently.
And I asked his permission to go into his router just to see what was going on.
I like to poke around and make sure my friends are secure. And I, while I was in there. Updated his router had never been updated. Wasn’t automatically updating.
And I went ahead and showed him how to do it himself.
According to a study recently done by trend micro. Almost four and five CSOs report feeling pressured by corporate boards to downplay their company’s cyber risk.
Which is a conflict between executives and security professionals that we’ve seen a lot in the past, but we’re really hoping.
Is being remediated due to all the visibility on cybersecurity risk. But this study is showing that we still have a lot of work to do.
According to this study, 43% of security leaders feel they are perceived as nagging. Or repetitive while 42% feel seen as overly negative about their cyber risk.
In the United States, the sec mandates that publicly traded companies disclose significant cybersecurity incidents within four business days, which is only going to add pressure to these CSOs. To manage their board’s expectations while also complying with regulations. That is not a job that I envy.
In fact, the sec charged solar winds and its top cyber risk executives for misleading investors about their cyber resilience.
Now any study done relies on the opinions and questions asked to the specific participants, right? So this. Is kind of contradicted by a similar study done by proof point earlier this year that shows that 84% of CSOs now feel aligned with their boards on cyber risk.
Which would indicate the opposite of this study.
Ear, regardless.
If you’re a CSO or if you’re an aspiring CSO. It’s hard.
To confront the people that pay you and write your checks.
But you owe it to yourself and you owe it to your company. And you owe it to cybersecurity as a whole to take a stand. And.
Make sure that the cyber risk you’re dealing with is identified and.
Addressed to the best of your ability.
Uh,
my favorite leadership tactic or strategy or principle is. To not be afraid or to recognize that it would be your proudest moment to be fired for standing up for something you believe in. Which is almost the way you have to approach leadership. Nowadays, you’re going to get a lot of pressure from above and you’re going to get a lot of pressure from below. So unless you know what you stand for. You’re probably going to pick the wrong side. So pick something, stand for it. Hopefully it follows moral grounds and make it your life’s honor to get fired for standing up for what you believe in.
So we all know what phishing is. And with the invent of generative AI and machine learning, et cetera, phishing is only on the rise. People are being. Provided with more and more tools that will help them fish more efficiently. So of course fishing is going to be on the rise. It’s a very effective hacking technique.
Well, further proof of that.
Comes when. CloudFlare disrupted a phishing campaign by a Russia aligned group called flying Yeti. That has been targeting Ukraine with quote cook box malware. Lots of good visuals there.
The attackers use debt themed, lures exploiting concerns over housing and utilities to trick victims.
Once the fishing victim clicks the link. They’re directed to a get hub page that mimics cube Coleman, Alta, which is a leading malicious RAR archive. Download.
The cook box malware then uses PowerShell to control the infected system. Connecting to a DDNS domain for command and control.
Flashpoint also noted that Russian apt groups are refining their tactics and expanding their targets. Using malware, like agent Tesla and snake key logger. To accomplish their cyber crime goals.
And as I mentioned in the intro, I mostly picked this story because of the fun visuals of a flying Yeti. But. Keep yourself up to date on fishing tactics, know what to look for and how to avoid getting fished yourself.
I was talking to a friend yesterday who was showing me an example of a phishing email that his company came across. And it looked really good. I couldn’t actually identify it as a phishing email. So, what do you do in that case? You should be skeptical of any link you click in any email.
Never click a link without first thinking about what you’re clicking.
It’s a really hard habit, but it will save you a lot of time and money. By not getting fished. Right. So first thing, check the email address it was sent from.
I think it was my dad recently who sent me an email that he thought might be fishing, but couldn’t tell. And so he just forwarded it to me. And yeah, the first thing I did was open up and see the email address sent. Sometimes it’ll show like an alias, like Facebook marketing, but then the actual email address is something different and yeah, in. In this case.
It was something like cutie pie, thirty6@gmail.com.
Sending an email. Requesting to reset your password on Facebook or something like that. Like that’s never going to happen. It’ll come from, I mean, Facebook does use some pretty sneaky domains. That look like fishing. So Hey, knock that off Facebook. But it’ll never be from a Gmail. It’ll always be from a Facebook or fb.me or something like that.
And if the email looks legit, You can always. Google. Malware sandbox or something like that and find a service they’re free and you can copy the link, paste it in there and see what it does. I did this for my dad’s email as well. It was a PDF and I got to actually watch the PDF.
On a screen like this, this virtual machine opened up the PDF. And I got to watch it, try to ex execute other programs. In the background. It was super cool.
But yeah. Try to use a safe environment to open up that link, or if it’s not necessary. To click the link. Like if you have to reset your Facebook password, you can just go log into Facebook and go to your settings and reset your own password. You don’t have to click the link for convenience. If it’s like pay your bill.
Now you can just go to your account by typing in the URL yourself. And pay the bill. Don’t click the link. Just try to avoid clicking links as much as you possibly can.