Costa Rica's ongoing struggle against Conti. Hacking GERD? A cyber insurance reset. Patch notes. Chaos declares for Russia. Hacktivists claim coup against robots.

At a glance.

Conti's ongoing campaign against Costa Rica.

Costa Rica continues to work to restore services in the country that were disrupted by Conti ransomware, and Conti continues its woofing about seeking to foment an insurrection in Costa Rica to help force payment. The government has been unable to collect taxes in the usual manner, and it's also having difficulty paying its employees.

For its part, Conti has not only upped its ransom demand to $20 million, but claims to have insiders working for it within Costa Rica. A communiqué from the group, reproduced by Tech Monitor, said, "We have our insiders in your government, I recommend that your responsible contact UNC1756, there is less than a week left when we destroy your keys, we are also working on gaining access to your other systems, you have no other options but to pay us, we know that you have hired a data recovery specialist, don't try to find workarounds, I communicate with everyone in this business, I have insiders even in your government! I once again appeal to the residents of Costa Rica to go out on the street and demand payment You're just forcing us to use terrible methods Another attempt to get in touch through other services will be punished by deleting the key."

The reference to UNC1756 is just made-up gasconade, since there's no record of activity under this particular classification, but CyberScoop reports that Costa Rica's President Rodrigo Chaves has led credence to the claim that Conti's getting some local help. “There are very clear indications that people inside the country are collaborating with Conti,” the president said, but, citing national security, declined to give details.

Conti is a Russian gang, privateers who operate at the sufferance of Moscow who've also declared that they intend to operate in Russia's interest during its' war against Ukraine, and there's been speculation, the New York Times reports, that the campaign against Costa Rica is intended to punish that country for siding with Ukraine. But that seems implausible. While sympathy in Costa Rica has generally run against Russia's war, that's true of the civilized world in general, and Costa Rica certainly hasn't been delivering crucial assistance to Kyiv. It seems more probable, as some sources tell the Times, that Costa Rica is a target of opportunity, easily caught while bigger fish grow warier and more inclined to spit the hook.

Claim: "international" cyberattack against Nile dam stopped.

Ethiopia says it stopped cyberattacks on its Nile dam and some financial institutions, the Addis Standard reports. Al-Monitor says that Egypt's government has not officially responded to Ethiopian accusations that it's behind any such cyberattacks. The Grand Ethiopian Renaissance Dam (GERD) and the Nile water rights it affects have been a point of contention between the two countries.

A "reset" in the cyber insurance market.

The Wall Street Journal reports that the cyber insurance market is undergoing a "reset," as it deals with a surge in costly ransomware attacks and concerns that Russia's war against Ukraine will spillover into cyberspace in a more significant way than it has yet to do. "Direct-written premiums collected by the largest U.S. insurance carriers in 2021 swelled by 92% year-over-year, according to information submitted to the National Association of Insurance Commissioners," and that's because the carriers are charging more, not because they're expanding their coverage. The reset also includes more stringent requirements customers must meet before they'll receive coverage.

Ransomware has continued to surge. A study by Cyber Security Works released this morning finds a 7.5% spike in APT groups engaged in ransomware.

Patch notes.

Apple has issued fixes for multiple products, and the US Cybersecurity and Infrastructure Security Agency (CISA) urges users and admins to review the patches and "apply the necessary updates:" watchOS 8.6, tvOS 15.3, macOS Catalina, macOS Big Sur 11.6.6, macOS Monterey 12.4, iOS 15.5 and iPad OS 15.5, and Xcode 13.4.

CISA has also added two new entries to its Known Exploited Vulnerabilities Catalog, one for a code injection issue in the Spring Cloud Gateway library and the other for a command injection problem in Zyxel firmware for business firewalls and VPN devices. The Record summarizes the scope of the Zyxel vulnerabilities, and quotes expert opinion to the effect that small and medium businesses are likely to be particularly affected.

Finally, CISA issued an industrial control system (ICS) advisory yesterday for Circutor COMPACT DC-S BASIC.

The following sections pertain directly to the cyber phases of Russia's hybrid war against Ukraine. CyberWire's continuing coverage of the unfolding crisis in Ukraine may be found here.

Chaos ransomware group declares for Russia.

Conti did so back in February, while the LockBit crew has tried to remain neutral ("apolitical"). Now another ransomware gang, the operators of Chaos, has declared for Russia, Fortinet researchers report. It's customary for ransomware to include a message that normally demands a ransom and tells the victims how they can recover their files (after paying). There's none of that here; this is the message Chaos has been displaying recently: "Stop Ukraine War! F**k Zelensky! Dont go die for f**king clown! You can see the truth here:" with a link that takes the recipient to a Russophone propaganda site, the "Information and Coordination Center.” That page (which leads with the motto "Victory will be ours") explains its purpose in a "Who we are section." The site's goal appears to be recruitment of hacktivists and influencers:

"Our priorities are:

"In connection with the full-scale information and economic war unfolding against the Russian Federation, the Information Coordination Center ... was created - a group of like-minded people whose main goal is to combat the spread of false information about the activities of the Russian Federation and the Russian Armed Forces.

"1. Blocking channels on Telegram, VK 2. Blocking propaganda sites,

"2. Blocking propaganda sites that disseminate false information

"3. Investigating violations of rights and civil rights and freedoms

"Current Targeting Guidelines

"In order to participate and contribute to the information confrontation, please see the Toolkit section, where you can learn how to work most effectively in each area.

"If you know of a fake news channel or website which is spreading false information, defaming Russia, or violating human rights and it is not on our list, please contact us."

It includes a list of resources "currently being coordinated," and it offers other items like names of Ukrainian soldiers killed in action, and the names of alleged Ukrainian war criminals.

Chaos, while it's a ransomware builder in the C2C market, clearly isn't a conventional ransomware gang. Fortinet concludes:

"The Chaos ransomware variant that this blog covers is unique in the sense that the attacker has no intention of providing a decryption tool or file recovery instructions for its victims to recover their affected files. Finding them is a tall order for non-technical victims, which pretty much makes the malware a file destroyer. Clearly, the motive behind this malware is “destruction.” The politically inclined messages also indicate that the attacker is pro-Russian and frustrated with the current situation. And with the Chaos ransomware builder now readily available, its options allow anyone to create destructive malware. And with no end to the war in sight, FortiGuard Labs expects more malware like this to emerge."

Report: hacktivists claim to have compromised Russian-manufactured ground surveillance robots.

The Daily Dot reports that a hacktivist group, "CaucasNet," says it successfully compromised Tral Patrol 4.0 unmanned ground video surveillance systems. Hashtagging #OpRussia and #GloryUkraine, CaucasNet's Twitter feed crowed, "We hacked the patrol robots of the Russian company «SMP Robotics». Now we control the Robotics robots all over the world, we broadcasted the anthem of Ukraine and the Georgian song «300» on all the robots on May 9th." Tral Patrol robots have been sold in many countries, but CaucasNet claimed in particular that they'd hacked the systems at Moscow's Sheremetyevo International Airport. The airport did not confirm any incident to the Daily Dot, saying only, “Sheremetyevo International Airport does not confirm the fact of hacker hacking of the security system." Like most hacktivism, this amounts to a nuisance. And like most hacktivist claims, this one should be received with open-minded skepticism.