April 12

                April 13, 2022

            April 12

            A look at accidents. The wrong approach is to blame “bad person” and the correct approach is to blame the bad system. This has strong parallels to OPSEC, security, and info sec, among others. The problem is usually not the person but the environment or tooling that permits or even encourages the errors.

            In Criminalizing Error, We Are Doomed to Repeat Our Mistakes | The Nation
            Sending a nurse to prison for causing a patient’s death may satisfy the thirst for vengeance, but it won’t make hospitals any safer.

Some clever crypto something something. Fraud, basically. It is always fraud. 

            Rekt - Inverse Finance - REKT
            DeFi / Crypto - Inverse Finance got flipped for ~$15M. A professionally executed hack allowed an anonymous actor to manipulate the price of INV and help themself to an exclusive deal from the ETH based lending protocol.

The Purge
Putin in on a bit of a purge right now. Taking out the domestic policy guy who was also in charge of Ukraine policy. Clearly he screwed that one up.
Kamil Galeev @kamilkazani
Vladislav Surkov is reportedly arrested. For years he ran Russian domestic politics and later Kremlin's policy in Ukraine. On Feb 15 he published an article calling for the war to reannex Ukraine, Belarus and Baltics. Today I'll discuss his role in Putin's rise to Presidency🧵 
12:54 AM ∙ Apr 12, 2022
12,561Likes3,838Retweets

The Purge, Electric Butthole Glue
There are a lot of vacancies showing up in the FSB if you’re interested in a new job with a short life expectancy.

https://archive.ph/2022.04.11-203347/https://www.thetimes.co.uk/article/putin-purges-150-fsb-agents-in-response-to-russias-botched-war-with-ukraine-lf9k6tn6g

Ben Sixsmith @BDSixsmith
@pmarca Memes aren’t like viruses where you build up immunity, Marc. They’re like drugs - you overdose.5:14 AM ∙ Apr 12, 2022
43Likes3Retweets

Great work by ESET.
J. A. Guerrero-Saade @juanandres_gsMissed this write up from last month. Looking at the sheer amount of findings re:Ukraine over the past 8 years, @ESETresearch really doesn't get nearly enough credit. 👏👏👏
welivesecurity.com/2022/03/21/san…
welivesecurity.comSandworm: A tale of disruption told anew | WeLiveSecurityAs the war in Ukraine rages on, Sandworm, one of the world’s most notorious APT groups, enters the spotlight again.5:53 AM ∙ Apr 12, 2022
37Likes14Retweets

Lots of reports about the Sandworm attack against Ukrainian electrical substation(s). There are a lot of questions about this, like how the hack was detected and remediated inside an hour. 

            Industroyer2: Industroyer reloaded
            ESET researchers have responded to a cyber-incident that affected an energy provider in Ukraine and involved ICS-capable malware that we've named Industroyer2.

            CERT-UA
            Ð£ÑÑÐ´Ð¾Ð²Ð° ÐºÐ¾Ð¼Ð°Ð½Ð´Ð° ÑÐµÐ°Ð³ÑÐ²Ð°Ð½Ð½Ñ Ð½Ð° ÐºÐ¾Ð¼Ð¿âÑÑÐµÑÐ½Ñ Ð½Ð°Ð´Ð·Ð²Ð¸ÑÐ°Ð¹Ð½Ñ Ð¿Ð¾Ð´ÑÑ Ð£ÐºÑÐ°ÑÐ½Ð¸, ÑÐºÐ° ÑÑÐ½ÐºÑÑÐ¾Ð½ÑÑ Ð² ÑÐºÐ»Ð°Ð´Ñ ÐÐµÑÐ¶Ð°Ð²Ð½Ð¾Ñ ÑÐ»ÑÐ¶Ð±Ð¸ ÑÐ¿ÐµÑÑÐ°Ð»ÑÐ½Ð¾Ð³Ð¾ Ð·Ð²âÑÐ·ÐºÑ ÑÐ° Ð·Ð°ÑÐ¸ÑÑÑ ÑÐ½ÑÐ¾ÑÐ¼Ð°ÑÑÑ Ð£ÐºÑÐ°ÑÐ½Ð¸.

The Russian military drones might not be as advanced as they liked to believe. On the other hand, it does seem very pragmatic to use commercial solutions to cut down on costs. Not really sure about that one… particularly since it seems maybe the cost savings weren’t passed on to the customer (the military.)
Stratcom Centre UA @StratcomCentre
Ukrainian soldier dismantled the Russian Orlan drone, debunking yet another Russian myth. 
4:42 AM ∙ Apr 12, 2022
391Likes160Retweets
And here is an entire article written about the above tweet. 

            Video: Ukraine Soldier Disassembles Russian Drone, Reveals DIY Work
            Ukraine's Defense Ministry posted a video on Twitter Sunday of the solider taking apart a Russian Orlan-10 drone.

Security vulnerabilities in the cloud.
Corey Quinn @QuinnyPig
Another day, another "learn about an @awscloud security issue from a third party" blog post... 
Lightspin @LightspinTech
Lightspin's Research Team obtained credentials to the internal AWS service 'grover' by exploiting a local file read vulnerability on the RDS EC2 instance using the log_fdw extension. Read the full technical post by @gafnitav https://t.co/tnIHyoaCCg https://t.co/fFl6s6k6MR8:24 PM ∙ Apr 11, 2022
143Likes23Retweets

Somewhat late on this, but… it looks like SIGINT on Kadyrov and his Chechen buddies was a possible source for US intelligence on the Russian war plans.
max seddon @maxseddon
Looks like Chechen forces spent months openly chatting about plans to invade Ukraine – even as most other commanders didn’t know until a week before and were shocked, according to these leaked voice memos with Kadyrov. No wonder US SIGINT picked it up bbc.com″В районе Майдана или Крещатика танцы подготовим”. Что человеку с голосом Кадырова докладывали накануне вторжения России - BBC News Русская…В распоряжении Би-би-си оказались голосовые сообщения, которыми накануне российского вторжения на Украину обменивались человек с голосом главы Чечни Рамзана Кадырова и человек с голосом зама чеченской Росгвардии Даниила Мартынова. Они обсуждают, как бойцы будут заходить в здания на Украине и какой б…5:33 AM ∙ Feb 27, 2022
1,550Likes515Retweets

A look at how troll farms work, which is always a bit interesting.

https://www.ncbi.nlm.nih.gov/pmc/articles/PMC6137759/

                Don't miss what's next. Subscribe to the grugq's newsletter: