Saturday, June 11, 2022 // (IG): BB //Weekly Sponsor: UNDERWORLD BJJ
Ransomware Gang Incorporates Website Defacement, Posts Ransom Notes to Public-Facing Websites
FROM THE MEDIA: Ransomware attacks tend to have a certain unofficial protocol to them; the attacker gives the victim some window in which the attack is kept from the public, allowing them the opportunity to quietly make a payment to resolve the matter as quickly (and with as little trouble) as possible. A new ransomware gang on the scene is skipping that pleasantry, using website defacement to share ransom notes with both the company and the public in the immediate wake of the attack.
It is unclear if this signals a broader trend, but ransomware gangs have been known to change and evolve their tactics over time. “Double extortion” is a recent evolution that has become increasingly common over the last two years, and the use of direct website defacement is essentially a mutation of the “triple extortion” approach that began appearing toward the end of 2021.
READ THE STORY: CPO Magazine
BlackBerry discovers Symbiote malware, a highly evasive Linux threat
FROM THE MEDIA: In November 2021, BlackBerry discovered Symbiote, a new and highly evasive malware that acts “in a parasitic nature” affecting Linux operating systems, according to new joint research released by Dr. Joakim Kennedy, Security Researcher at Intezer, and the BlackBerry Research & Intelligence Team.
“What makes Symbiote different from other Linux malware that we usually come across is that it needs to infect other running processes to inflict damage on infected machines,” says Dr. Joakim Kennedy at the BlackBerry Research & Intelligence Team. “Instead of being a standalone executable file that is run to infect a machine, it is a shared object (SO) library that is loaded into all running processes using LD_PRELOAD (T1574.006) and parasitically infects the machine. Once it has infected all the running processes, it provides the threat actor with rootkit functionality, the ability to harvest credentials, and remote access capability.”
READ THE STORY: Security Magazine
Iranian hackers target energy sector with new DNS backdoor
FROM THE MEDIA: The Iranian Lycaeum APT hacking group uses a new .NET-based DNS backdoor to conduct attacks on companies in the energy and telecommunication sectors. Lyceum is a state-supported APT, also known as Hexane or Spilrin, that has previously targeted communication service providers in the Middle East using DNS-tunneling backdoors. A recent analysis by Zscaler presents a new DNS backdoor based on the DIG.net open-source tool to carry out "DNS hijacking" attacks, execute commands, drop more payloads, and exfiltrate data.
DNS hijacking is a redirection attack that relies on DNS query manipulation to take a user who attempts to visit a legitimate site to a malicious clone hosted on a server under the threat actor's control.
Any information entered on the malicious website, such as account credentials, will be shared directly with the threat actor.
READ THE STORY: BleepingComputer
Researchers Found an Unpatchable Security Flaw in Apple’s M1 And You Probably Don’t Need to Care
FROM THE MEDIA: Researchers working with MIT have found a new flaw in Apple processors that they’re calling unpatchable. While that sounds bad — and under specific circumstances, could be bad — it’s probably not something consumers need to worry about much.
The flaw, dubbed PACMAN, is caused by a hardware security problem with Apple’s pointer authentication codes (PAC). The researchers write: “We demonstrate that by leveraging speculative execution attacks, an attacker can bypass an important software security primitive called ARM Pointer Authentication to conduct a control-flow hijacking attack.” Pointers are objects in code that contain memory addresses. By modifying the data inside of pointers, an attacker can theoretically modify what happens when the machine accesses a given area of memory.
READ THE STORY: Extremetech // The CyberWire
Potent Emotet Variant Spreads Via Stolen Email Credentials
FROM THE MEDIA: The dangerous malware appears to be well and truly back in action, sporting new variants and security-dodging behaviors in a wave of recent phishing campaigns. Emotet’s resurgence in April seems to be the signal of a full comeback for what was once dubbed “the most dangerous malware in the world,” with researchers spotting various new malicious phishing campaigns using hijacked emails to spread new variants of the malware.
The “new and improved” version of Emotet is exhibiting a “troubling” behavior of effectively collecting and using stolen credentials, “which are then being weaponized to further distribute the Emotet binaries,” Charles Everette from Deep Instinct revealed in a blog post this week.
READ THE STORY: ThreatPost
Chinese-linked threat actor has been quietly spying for nearly 10 years
FROM THE MEDIA: Researchers on Thursday reported that a Chinese-linked threat actor — Aogin Dragon — has operated espionage activities since 2013, targeting government, education and telecommunications organizations in Southeast Asia and Australia. In a blog post, SentinelLabs researchers said Aogin Dragon seeks initial access through document exploits and the use of fake removable drives. The researchers said other techniques the attacker uses includes the following: DLL hijacking, Themida-packed files, and DNS tunneling to evade post-compromise detection.
READ THE STORY: SCMAG // Korea IT Times
The future of US security depends on owning the ‘gray zone.’ Biden must get it right.
FROM THE MEDIA: Conventional military superiority once guaranteed the security of the United States and its allies—but no more. Adversaries like Russia and China have learned that if they cannot compete with the United States conventionally, they can undermine US security in the cyber, economic, and information domains through offensive activities in the “gray zone,” or the space between peace (or cooperation) and war (or armed conflict).
After decades of relying on its conventional power, the United States lacks a comprehensive strategy to align gray-zone activities with the national goals it aims to achieve. More complicated still, this term is ill-defined—if even acknowledged—in US and allied strategies, creating an obstacle to further dialogue and policy action. Current efforts are uncoordinated across the executive branch and relevant stakeholders, and the desired end state is unclear.
READ THE STORY: Atlantic Council
Russia-Ukraine war: How Elon Musk's StarLink thwarted Vladimir Putin's information war
FROM THE MEDIA: A United States Army official has praised Elon Musk's Starlink, the satellite internet service providing high speed connections to the most remote regions in Ukraine, claiming the technology has thwarted Vladimir Putin's propaganda efforts and assisted forces on the ground.
US Brigadier General Steven Butow — who has been working closely with SpaceX as director of the space portfolio at the defence innovation unit — said SpaceX's Starlink services have been a crucial asset to the Ukrainian military. Musk shipped Starlink dishes to Ukraine within hours of a request for terminals from Ukrainian politician Mykhailo Fedorov, following a series of cyber attacks originating from Russia.
READ THE STORY: NZHerald
This ransomware makes you sign up for Roblox to get your files back
FROM THE MEDIA: The creators of a new ransomware strain have taken a novel approach when it comes to how victims pay up to regain access to their locked files. While ransomware gangs normally make victims pay in cryptocurrency to unlock their files after an attack, security researcher MalwareHunterTeam(opens in new tab) has discovered a new ransomware named “WannaFriendMe” that has them pay in Roblox’s in-game currency Robux instead.
Although WannaFriendMe impersonates the notorious Ryuk ransomware, it’s actually a variant of the Chaos ransomware according to BleepingComputer.
READ THE STORY: TomsGuide
LockBit claims to have hit Mandiant, but their claim looks baseless.
FROM THE MEDIA: The LockBit gang, version 2.0, claims to have successfully hit Mandiant, but, CyberScoop and BleepingComputer both report, there seems to be nothing to those claims. Mandiant has seen no evidence of any successful attacks, and the purported evidence LockBit has been woofing seems to have been culled from earlier hits unrelated to Mandiant. Mandiant suggests an explanation for the imposture: "Based on the data that has been released, there are no indications that Mandiant data has been disclosed but rather the actor appears to be trying to disprove Mandiant's June 2nd, 2022 research blog on UNC2165 and LockBit." LockBit was especially exercised by Mandiant's association of the ransomware-as-a-service gang with Evil Corp, and by its suggestion that they operated in the interest of the Russian government. They're apolitical, says LockBit, and they've got affiliates all over the world.
READ THE STORY: The CyberWire
Karakurt data extortion group: CISA issues alert
FROM THE MEDIA: In a joint Cybersecurity Advisory by the FBI, the Cybersecurity and Infrastructure Security Agency (CISA), the Department of Treasury, and the Financial Crimes Enforcement Network (FinCEN), the four U.S. agencies warned businesses about the tactics, techniques, and procedures (TTPs) of the Karakurt data extortion group. Unlike ransomware groups, Karakurt does not encrypt data, it simply steals it. The group then threatens the victimized business with auctioning the sensitive data if the company does not pay the extortion fee. The alert says the fee typically ranges between $25,000 to $13,000,000 in Bitcoin.
“This is an interesting plot twist,” commented Avast Security Evangelist Luis Corrons. “Ransomware gangs started stealing data and using extortion to enforce payment when victims refused to pay as they had their own backups. Now this group has figured out that they can skip the encryption process altogether. They do not have to invest in ransomware, providing keys, etc. It has yet to be seen if this ‘business model’ will be more successful than the traditional ransomware one, where victims tend to lose access to all their data.” Karakurt typically gives the business a week to pay, and it piles on the pressure by harassing the company’s employees and clients with phone calls urging them to get the business to comply with the demands. For more, see ZDNet.
READ THE STORY: Security Boulevard
Hard-to-Detect 'Parasite' Targets Linux Operating Systems
FROM THE MEDIA: New malware called Symbiote is affecting Linux operating systems by infecting other running processes to inflict damage on machines, say Intezer security researcher Joakim Kennedy and the BlackBerry Threat Research and Intelligence Team, who jointly conducted the research.
The highly evasive malware, which was detected targeting Latin American financial firms in November 2021, aims to capture credentials on victims' systems to provide threat actors with backdoor access into the infected machines, say the researchers at both Blackberry and Intezer.
READ THE STORY: GOVINFO SEC
Russia Warns Growing Cyber Conflict With U.S. Could Spark War in Real World
FROM THE MEDIA: Russia's top cyber diplomat has warned that a worsening conflict with the U.S. in cyberspace could lead to a real-world escalation between the two powers as both sides vowed to strike back against any virtual provocations.
Washington and Moscow have long denied conducting malicious cyber activities against one another, but U.S. Cyber Command Director General Paul Nakasone confirmed last week in an interview with Sky News that the Pentagon's cyber branch was involved in "a series of operations across the full spectrum," including those both "offensive" and "defensive" in nature, as well as "information operations," in support of Ukraine as it struggles to fend off a Russian incursion launched in February.
Days after the senior U.S. military official's comments, Russian special presidential representative for cooperation in the field of information security Andrey Krutskikh accused the U.S. of having "unleashed cyber aggression against Russia and its allies" in an interview Monday with the newspaper Kommersant.
READ THE STORY: NewsWeek
Conti Ransomware Develops Proof-of-Concept Code for Firmware Attacks
FROM THE MEDIA: An analysis of leaked chats from the Conti ransomware gang found that the cybercrime group was planning firmware attacks targeting the Intel Management Engine (ME). The firmware has various implementations, including the Intel Manageability Engine (before SkyLake), Intel Converged Security and Management Engine (SkyLake and later), Intel Trusted Execution Environment (Atom processors), and Server Platform Services (Server). Intel ME provides various functions, including anti-theft protection and out-of-bound management.
READ THE STORY: CPO MAG
IT army of Ukraine – tech during the war
FROM THE MEDIA: The Ukrainian business is actively contributing to Ukraine’s victory by fundraising, coordinating and delivering help to the frontline. The Ukrainian IT is not only Ukraine’s fastest growing business sector with 36% increase in exports in 2021 ($5 billion to $6,8 billion) but also one of the most innovative and successful in providing the essentials to the military. As the volunteer movement exploded on the first days of the war, IT companies used their proficiency in project management to quickly set priorities, specialize in certain types of help and use their international contacts to facilitate essential imports for the Army. Some help the internally displaced persons, some buy and deliver military hardware, others specialize in life-saving medical hardware. As individuals, 3% of IT specialists found their calling in the Ukrainian Army, and 9% joined the cyber frontline against the aggressor.
READ THE STORY: Ukraine Crisis
Hackers exploit recently patched Confluence bug for cryptomining
FROM THE MEDIA: A cryptomining hacking group has been observed exploiting the recently disclosed remote code execution flaw in Atlassian Confluence servers to install miners on vulnerable servers. The vulnerability, tracked as CVE-2022-26134, was discovered as an actively exploited zero-day at the end of May, while the vendor released a fix on June 3, 2022. Various proof of concept (PoC) exploits were released in the days that followed, giving a broader base of malicious actors an easy way to exploit the flaw for their purposes.
READ THE STORY: BleepingComputer
Army to double size of active-duty cyber corps
FROM THE MEDIA: The Army intends to double the size of its active-duty cyber corps by the end of the decade, including boosting its electronic warfare capacity, according to service officials.
The service is putting more emphasis on these types of capabilities to compete with advanced adversaries such as China and Russia.
“Active component growth in the force structure for Cyber Mission Force teams and Electronic Warfare companies and platoons will increase the authorized strength of the Cyber Corps from just over 3,000 [personnel] to just over 6,000″ by 2030, an Army spokesperson told FedScoop in an email Friday. “The growth in the Army’s Electronic Warfare forces will also create similar increases, though in smaller numbers, in the Army National Guard.”
READ THE STORY: FedScoop
Pro-Iran Cyber Team Claims Cyberattacks On Tel Aviv Stock Exchange And Dubai Toll Road System
FROM THE MEDIA: On June 9, 2022, a cyber group which supports Iran-backed militias in Iraq published a statement on Telegram claiming responsibility for cyber attacks targeting the Tel Aviv stock exchange and an electronic toll road system in Dubai.
The channel wrote in English: "That's how we protest against that rampage which is happening for a long time. That's how we protest against the silence in the Media that are pretending to be blind and deaf for a long time. While all these Media urge you to 'Stand with Ukraine' we want to ask you: Why don't you care about Al Jazeera journalist Shireen Abu Akleh who was shot dead while covering Israeli military operation in West Bank? Why don't you care about Middle East which was occupied by USA and NATO for years...?"
READ THE STORY: MEMRI
Items of interest
More Wiggle Room for White Hat Hackers?
FROM THE MEDIA: On May 19, 2022, the Department of Justice (“DOJ”) announced significant clarifications to its policy on charging Computer Fraud and Abuse Act (“CFAA”) violations that give some comfort to cyber security consultants who engage in network testing and related operations. Such activity has long been a gray area for “white hat” hackers.
The CFAA, 18 U.S.C., §1030, provides the government with the authority to prosecute cyber-based crimes by making it a crime to “intentionally access[ ] a computer without authorization or exceed[ ] authorized access and thereby obtain[ ] (A) information contained in a financial record of a financial institution…(B) information from any department or agency of the United States; or, (C) information from any protected computer.” Most computers have the potential to fall under Section 1030’s definition of a “protected computer,” which includes any computer “used in or affecting interstate or foreign commerce or communication.” The new guidance demonstrates an evolving view of how the statute should be enforced with the ultimate aim of leaving the public safer as an overall result of government action. In this regard, the DOJ directive expressly states that good faith security research should not be prosecuted.
Good faith security research is defined by the DOJ as “accessing a computer solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability.” The update further clarifies that “such activity is carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services.”
READ THE STORY: National Law Review
Cybercrime Magazine Talks With The World's Greatest Spy at RSA 2022 (Video)
FROM THE MEDIA: Cybercrime Magazine Talks With The World's Greatest Spy at RSA 2022
Cybercrime as a Service (CaaS) (Video)
FROM THE MEDIA: We've covered Hardware-as-a-Service (HaaS) and Software-as-a-Service (SaaS) in previous videos, but have you heard about Cybercrime-as-a-Service (CaaS)? CaaS operators sell valuable access credentials to threat actors, allowing them easy entry to deploy ransomware and steal company data.
About this Product
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com