Daily Drop (163)
6-14-22
Tuesday, June 14, 2022 // (IG): BB //Weekly Sponsor: UNDERWORLD BJJ
PSA: NEWSLETTER HAS MOVED SUBSCRIBE TO RECIEVE THESE
Hackers clone Coinbase, MetaMask mobile wallets to steal your crypto
FROM THE MEDIA: Security researchers have uncovered a large-scale malicious operation that uses trojanized mobile cryptocurrency wallet applications for Coinbase, MetaMask, TokenPocket, and imToken services. The malicious activity has been identified earlier this year in March. Researchers at Confiant named this activity cluster SeaFlower and describe it as "the most technically sophisticated threat targeting web3 users, right after the infamous Lazarus Group."
In a recent report, Confiant notes that the malicious cryptocurrency apps are identical to the real ones but they come with a backdoor that can steal the users' security phrase for accessing the digital assets.
READ THE STORY: Bleeping Computer
Unpatched Travis CI API Bug Exposes Thousands of Secret User Access Tokens
FROM THE MEDIA: An unpatched security issue in the Travis CI API has left tens of thousands of developers' user tokens exposed to potential attacks, effectively allowing threat actors to breach cloud infrastructures, make unauthorized code changes, and initiate supply chain attacks.
"More than 770 million logs of free tier users are available, from which you can easily extract tokens, secrets, and other credentials associated with popular cloud service providers such as GitHub, AWS, and Docker Hub," researchers from cloud security firm Aqua said in a Monday report.
Travis CI is a continuous integration service used to build and test software projects hosted on cloud repository platforms such as GitHub and Bitbucket.
READ THE STORY: THN
Chinese-sponsored gang Gallium upgrades to sneaky PingPull RAT
FROM THE MEDIA: The Gallium group, believed to be a Chinese state-sponsored team, is going on the warpath with an upgraded remote access trojan (RAT) that threat hunters say is difficult to detect.
The deployment of this "PingPull" RAT comes as the gang is broadening the types of organizations in its sights from telecommunications companies to financial services firms and government entities across Asia, Southeast Asia, Europe and Africa, according to researchers with Palo Alto Networks' Unit 42 threat intelligence group.
READ THE STORY: The Register
Chipmakers to spend record $109b on fab machines this year
FROM THE MEDIA: If you've been ripping your hair out about the ongoing semiconductor shortage, you should know that chip manufacturers are at least trying to spend their way out of the problem at record levels.
Chipmakers across the world are expected to increase spending on equipment for front-end manufacturing plants by 20 percent to an all-time high of $109 billion in 2022, according to the latest World Fab Forecast report from semiconductor industry group SEMI.
READ THE STORY: The Register
Prolific Ransomware Affiliate Groups Deploy Blackcat
FROM THE MEDIA: Two of the “most prolific” affiliate threat groups, which have been associated with several ransomware families, including Hive, Conti and Ryuk, are now deploying the BlackCat ransomware-as-a-service (RaaS), new Microsoft research revealed.
Researchers tracking BlackCat deployments face a challenge that’s currently prevalent in the ransomware threat landscape: Because it relies on the RaaS affiliate model, no two BlackCat deployments might look the same, with different affiliates utilizing different tactics. For instance, two separate BlackCat deployments recently observed by Microsoft used two initial access vectors - one using compromised credentials, and the other exploiting a vulnerable Microsoft Exchange server - as well as different persistence, credential exfiltration and lateral movement methods.
READ THE STORY: DUO
Microsoft: Ransomware groups, nation-states exploiting Atlassian Confluence vulnerability
FROM THE MEDIA: Ransomware groups and nation-state actors have begun exploiting a widespread zero-day vulnerability in all supported versions of Atlassian Confluence Server and Data Center unveiled late last month, according to Microsoft.
Microsoft’s security team took to Twitter on Friday to say they have seen widespread exploitation of CVE-2022-26134, which was officially patched by Atlassian on June 3.
Multiple adversaries and nation-state actors, including DEV-0401 and DEV-0234, are taking advantage of the Atlassian Confluence RCE vulnerability CVE-2022-26134. We urge customers to upgrade to the latest version or apply recommended mitigations: https://t.co/C3CykQgrOJ
READ THE STORY: The Record
Psycho viruses and information dumps: how Russian propaganda breaks will to resist in the Ukraine war
FROM THE MEDIA: Russia’s war against Ukraine is held not only with tanks; Russian propaganda targets Ukrainians and foreigners in order to break their will to resist. Here is what you need to watch out for to repulse the Kremlin’s mind games.
Information warfare is one of the main elements of modern hybrid wars, such as the war in Syria or “the conflict” in Ukraine, wrote Russian political scientist Andrey Manoilo in his research paper Information War Modern Technologies, published in a 2017 special issue of Political Science journal.
READ THE STORY: Euromaidan Press
Ukraine says Elon Musk's Starlink has been 'very effective' in countering Russia, and China is paying close attention
FROM THE MEDIA: Since the start of the Russian invasion, the US and its NATO and European allies have sent Ukraine security, economic, and humanitarian aid worth tens of billions of dollars.
Assistance to the embattled Ukrainians has come from the general public and private sector too. One of the most notable contributions has been that of Starlink, a satellite communication system run by Elon Musk's SpaceX.
SpaceX says it has delivered 15,000 Starlink kits to Ukraine since late February. The devices provide the Ukrainian military with a resilient and reliable means of communication. Ukrainian troops have used them to coordinate counterattacks or call in artillery support, while Ukrainian civilians have used the system to stay in touch with loved ones inside and outside of the country.
READ THE STORY: Business Insider
China-Backed Hackers Breached Top Global Telecom Firms Using Old Software Flaws: US Cyber Advisory
FROM THE MEDIA: A cybersecurity advisory, which includes America’s National Security Agency, Cybersecurity & Infrastructure Security Agency, and Federal Bureau of Investigation, etc, has said that in a cyber-espionage campaign lasting at least two years, Chinese government-backed hackers have broken into a number of major telecom businesses throughout the world. It was found that the hackers gained access to their targets by taking advantage of old and well-known severe vulnerabilities in common networking devices. The US officials said that the hackers utilized the stolen devices to acquire full access to the network traffic of several private companies and government agencies once they had a foothold within their targets.
However, the advisory did not list the identities of persons who were impacted by the campaign, nor did it describe the campaign’s impact. But US authorities did point out the specific networking devices, such as routers and switches, that Chinese hackers are suspected of routinely targeting, exploiting severe and well-known flaws that basically gave the attackers free reign over their targets.
READ THE STORY: News 18
New Syslogk Linux Rootkit Lets Attackers Remotely Command It Using "Magic Packets"
FROM THE MEDIA: A new covert Linux kernel rootkit named Syslogk has been spotted under development in the wild and cloaking a malicious payload that can be remotely commandeered by an adversary using a magic network traffic packet.
"The Syslogk rootkit is heavily based on Adore-Ng but incorporates new functionalities making the user-mode application and the kernel rootkit hard to detect," Avast security researchers David Álvarez and Jan Neduchal said in a report published Monday.
Adore-Ng, an open-source rootkit available since 2004, equips the attacker with full control over a compromised system. It also facilitates hiding processes as well as custom malicious artifacts, files, and even the kernel module, making it harder to detect.
READ THE STORY: THN
NCD Inglis: Cost of Entry for Cyber Criminals ‘Still Far Too Low’
FROM THE MEDIA: After a releasing an op-ed with Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly last week that called CISA’s “Shields Up” campaign a new baseline for cyber defenses, National Cyber Director Chris Inglis said today that the cost of entry for cyber attackers is still too low to create stout deterrence.
Inglis explained the work that still needs to be done to secure the Federal cyber ecosystem, as well as some of the motivations behind the op-ed, today at the Information Technology Industry Council’s (ITI) Cyber Summit 2022.
In addressing concerns from the cybersecurity industry about CISA’s “Shields Up” campaign, and when those shields could come down, Inglis was clear, “we’ll never not defend ourselves in cyberspace.”
READ THE STORY: Meritalk
The Rise of RaaS: With Conti attacking Costa Rica govt vulnerability is in the limelight
FROM THE MEDIA: With awareness of Conti increasing, governments and businesses are equally feeling the ransomware heat. Higher spends on cybersecurity will become eminent even as digitised identity verification becomes indispensable, especially in e-government scenarios.
Conti is the latest kid on the ransomware block, observed since 2020 and believed to be distributed by a Russia-based group. All versions of Microsoft Windows have already been affected. In May, the US government offered a reward of up to $10 million for information on the group.
READ THE STORY: The Tech Panda
Royal Flying Doctors Service’s Rapid Ransomware Recovery
FROM THE MEDIA: Rubrik has announced it has helped the Royal Flying Doctors Service Queensland (RFDSQ) protect business-critical data and minimise the risk of ransomware attacks against the organisation.
Covering more than 1.7 million square kilometres, Royal Flying Doctors Service Queensland (RFDSQ) provides essential healthcare and retrieval services to some of Australia’s most isolated communities. Each year, it delivers more than 98,000 episodes of care which includes transporting 11,700 patients to and from metropolitan hospitals, running more than 5,300 health clinics across regional, rural, and remote Queensland, and providing health advice to more than 16,000 telehealth patients.
READ THE STORY: AU CyberSecurity Mag
Southeast Asia Should Confront Threat of Economic Espionage
FROM THE MEDIA: Southeast Asia’s digital transformation is unleashing a flurry of new opportunities and challenges. Across the region, governments and businesses are becoming cognizant of data protection, as cases of identity theft and credit card fraud reach new heights amidst the Covid-19 pandemic. But added to the flurry of concerns for governments is the looming challenge of state-sponsored intellectual property (IP) theft.
State-sponsored IP theft is a form of ‘economic espionage’, or the state practice of stealing commercially valuable data like IP. While the practice can be traced back to antiquity, the growing ubiquity of digital technology has made the practice more widespread, as governments industrialise their economic espionage efforts through cyber means. As an example of its scalable nature, American cybersecurity firm Cybereason reported, in early May, that hackers stole trillions of intellectual property (IP) from thirty multinational corporations across Europe, Asia, and North America. The culprit was ‘Winnti’ (also known as APT41), a prominent hacking group with a history of conducting cyber-espionage operations on behalf of the Chinese state. While this is not the first major incident attributed to allegedly China-linked hackers, the case saw one of the largest amounts of IP stolen in recent history.
READ THE STORY: Fulcrum
If you want to launch Starship from Texas, here's some homework, FAA tells SpaceX
FROM THE MEDIA: SpaceX is one step closer to securing a permit to launch not just its first rocket from Boca Chica, Texas but its reusable super-heavy lifter at that.
And by one step closer, we mean: the US Federal Aviation Administration has issued more than 75 requirements for SpaceX to fulfill, which are aimed at minimizing the environmental impact of its launches on residents and wildlife.
Those requirements [PDF], made public Monday by the watchdog, list a series of concerns and actions SpaceX needs to take before it can hope to get the green light to use Boca Chica as intended. The FAA wants SpaceX to complete this environmental review and mitigate the effects of repeatedly launching and landing its giant reusable 120-metre Starship on the air, water, climate, peace and quiet, and land around the launchpad.
READ THE STORY: The Register
Xen patches three bugs that allow guest-host takeover
FROM THE MEDIA: The Xen Project has disclosed three bugs in its eponymous hypervisor – all of which would allow a malicious VM administrator to take control of a host system.
CVE-2022-26364 and CVE-2022-26363 are the subject of a single security advisory that warns the flaws mean "Malicious x86 PV guest administrators can escalate privilege so as to control the whole system."
The bad news is that all versions of Xen have the problem, which is caused by an incorrect conclusion that a page is safe to access. The good news is that Xen has a sincere belief that Xen on Intel's Ivy Bridge or later architectures is not impacted by the vulnerability. The flaw also impacts only paravirtualized guests that have access to a host's devices. Not sharing devices with guests will make the problem moot.
READ THE STORY: The Register
Health care provider Kaiser Permanente suffers data breach
FROM THE MEDIA: Health care provider Kaiser Permanente has disclosed a data breach that compromised the information of some 70,000 patients at subsidiary Kaiser Foundation Health Plan of Washington.
In a June 3 notice to patients, Kaiser Permanente described the data breach as a “security incident” that involved unauthorized access on April 5. The company said it discovered that an unauthorized party had gained access to an employee’s emails. It’s claimed that the unauthorized access was terminated within hours after it began.
Protected health information was contained in the emails. Although Kaiser Permanente says it has no indication that the unauthorized party accessed the information, it’s unable to rule out the possibility.
Information potentially breached included first and last name, medical record number, dates of service and laboratory test result information. Social Security numbers and credit card numbers were not exposed.
READ THE STORY: Silicon Angle
Geely founder's venture buys majority stake in Chinese smartphone maker Meizu
FROM THE MEDIA: A venture run by the founder of Chinese automaker Zhejiang Geely Holding plans to acquire an 79% stake in Chinese smartphone maker Meizu, a statement published by China's anti-monopoly regulator showed on Monday.
The State Administration of Market Regulation said that Hubei Xingji Shidai Technology Co Ltd had agreed to purchase the stake from two of Meizu's shareholders. It did not give a value for the deal.
Xingji Shidai and Meizu both said in similar statements that they had signed a strategic investment agreement but the deal was still being reviewed by regulators and details were still being negotiated.
READ THE STORY: ET
Items of interest
Blurring the Lines between APTs and Cybercrime: Cobalt Mirage Uses Ransomware to Target U.S. Organizations
FROM THE MEDIA: In the past, security experts typically made a distinction between a cybercrime and an advanced persistent threat (APT). While cybercrime focused on obtaining financial gain, APTs trailed their sights on specific organizations, often to steal nation-state secrets. Cobalt Mirage recently seems to have blurred the lines with recent attacks on U.S.-based targets using BitLocker and DiskCryptor. In an effort to keep organizations safe through transparency, we delved deeper into the threat to identify more artifacts that could put them at risk.
Using the publicized IoCs as jump-off points, we began by subjecting the 11 domain IoCs to a bulk WHOIS lookup, which led to the discovery of three unredacted email addresses. Subjecting those registrant email addresses to historical reverse WHOIS searches let us uncover 72 domains.
Reverse IP lookups for five IP addresses (2 identified by AlienVault as IoCs and 3 revealed by DNS lookups for the additional 72 domains) that played host to the domain IoCs provided an additional 600 domains. Interestingly, one of the three additional IP hosts we uncovered—54[.]39[.]78[.]148—seemed to be a dedicated IP address.
A bulk malware check on the Threat Intelligence Platform on all the additional domains and IP addresses identified through our analysis showed that organizations should probably block access to and from two specific domains—001lab[.]com and agrisecurv-supc[.]ml—as they have been dubbed “malicious” by various malware engines.
READ THE STORY: CircleID
Things you need to know about Ransomware as a service(raas) (Video)
FROM THE MEDIA: Things you need to know about Ransomware as a service(raas).
How the Ransomware as a Service Economy Works: Non-Technical (Video)
FROM THE MEDIA: Ransomware demands have grown 1,900%. Those ransom payments support a lavish lifestyle for cyber criminals.
About this Product
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com