Wednesday, July 06, 2022 // (IG): BB //Weekly Sponsor: Zanes Hand Made
PSA: NEWSLETTER HAS MOVED SUBSCRIBE TO RECIEVE THESE
Threat Actor Claims Responsibility For IBM and Stanford University Hack
FROM THE MEDIA: CloudSEK has reportedly used an artificial intelligence platform to identify a post made to a cybercrime forum. The post mentioned open source automation server platform Jenkins as one of the techniques and procedures used by a threat actor in attacks that were conducted against IBM and Stanford University. According to CloudSEK, who utilized the XVigil platform, the module contains hidden desktop takeover capabilities leveraged by threat actors to obtain clicks on advertisements posted on the internet. The cybercrime forum post was detected in early May on an English-speaking forum. CloudSEK obtained a sample screenshot as proof of access to a Jenkins dashboard.
READ THE STORY: OODALOOP
The guerrilla war on Belarus’s railways For months, Belarusian activists have been damaging railroads to hinder Russia’s army. Now they could face the death penalty.
FROM THE MEDIA: In May 2022, Belarusian President Alexander Lukashenko signed a law making any attempt to commit a terrorist attack punishable by death — and terrorism is exactly the charge being brought against a number of Belarusians who stand accused of damaging the country’s railroads. Belarus's "railroad war" began before Russia’s full-scale invasion of Ukraine, when the Russian and Belarusian armies began conducting joint exercises; since then, there have been dozens of attacks. At Meduza’s request, Belarusian journalist Anya Perova reports on Belarus’s railroad guerrilla fighters.
READ THE STORY: MEDUZA
PennyWise malware on YouTube targets cryptocurrency wallets and browsers
FROM THE MEDIA: A new stealer dubbed PennyWise by its developers has appeared recently, exposed by Cyble Research Labs. The researchers observed multiple samples of the malware in the wild, making it an active threat. The threat focuses on stealing sensitive browser data and cryptocurrency wallets, and it comes as the Pentagon has raised concerns about the blockchain.
READ THE STORY: TechRepublic
Advanced Phishing Scams Target Middle East and Impersonate UAE Ministry of Human Resources
FROM THE MEDIA: CloudSEK researchers have identified an extensive phishing campaign in which threat actors (TA) were impersonating the Ministry of Human Resources of the UAE government.
Spotted through the company’s artificial intelligence (AI) digital risk monitoring platform XVigil, the new threat would target various government and corporate entities across the finance, travel, hospital, legal, oil and gas and consultation industries. “The actors created a fake website [...] that resembles the legitimate domain [...] to defraud users,” CloudSEK wrote in an advisory.
READ THE STORY: INFOSEC MAG
Sophisticated campaign compromises SOHO routers.
FROM THE MEDIA: "We identified a multistage remote access trojan (RAT) developed for SOHO devices that grants the actor the ability to pivot into the local network and gain access to additional systems on the LAN by hijacking network communications to maintain an undetected foothold. While we currently have a narrow view of the full extent of the actor’s capabilities due to the limited state of SOHO device monitoring in general, using proprietary telemetry from the Lumen global IP backbone, we have enumerated some of the command-and-control (C2) infrastructure associated with this activity and identified some of the targets. We assess with high confidence the elements we are tracking are part of a broader campaign."
READ THE STORY: The CyberWire
The Unraveling of Russian Spies
FROM THE MEDIA: Last Thursday, Russian President Vladimir Putin congratulated the illegal intelligence department [Division S] of his Foreign Intelligence Service (SVR) on its 100th anniversary in a ceremony in front of the Fatherland, Valor Honor monument at the SVR’s headquarters in Moscow,
Putin, a former intelligence officer himself, said, “I would like to cordially congratulate all those for whom working in this critical area was their calling and destiny; those who defended our country’s national interests without any diplomatic or other cover for years and decades; and all those who conduct unique operations today, transmitting precious information to the Centre.”
READ THE STORY: The Cipher Brief
HackerOne Employee Fired for Stealing and Selling Bug Reports for Personal Gain
FROM THE MEDIA: HackerOne has fired one of its employees for collecting bug bounties from its customers after alerting them to vulnerabilities in their products — bugs that had been found by other researchers and disclosed privately to HackerOne via its coordinated vulnerability disclosure program.
HackerOne discovered the caper when one of its customers asked the organization to investigate a vulnerability disclosure that was made outside the HackerOne platform in June. The customer, like other clients of bug bounty programs, uses HackerOne to collect and report vulnerabilities in its products that independent security researchers might have discovered. In return, the company pays a reward — or bug bounty — for reported vulnerabilities.
READ THE STORY: DarkReading
Latest Cyberattack Against Iran Part of Ongoing Campaign
FROM THE MEDIA: According to a report produced by Check Point research, Iran’s steel manufacturing industry has been subject to ongoing cyberattacks that previously affected the country’s rail system. The same malware used in cyberattacks against Iranian steel plants is also connected to an attack against the rail system last year, leading researchers to believe that there may be a connection. In both cases, the malware was used to inflict physical damage to critical infrastructure. Check Point Research states that the contextual clues, recycled jokes, and overlaps in code all point to the fact that the attacks, occurring a year apart, may be attributed to the same threat actor.
READ THE STORY: OODALOOP
Marriott confirms latest data breach, possibly exposing information on hotel guests, employees
FROM THE MEDIA: Marriott International confirmed Tuesday that unknown criminal hackers broke into its computer networks and then attempted to extort the company, marking the latest in a string of successful cyberattacks against one of the world’s biggest hotel chains.
The incident, first reported early Tuesday by databreaches.net, allegedly occurred roughly a month ago and was the work of a group claiming to be “an international group working for about five years,” according to the site.
READ THE STORY: CyberScoop
Google TAG exposes hack-for-hire groups targeting activists and sensitive data
FROM THE MEDIA: Hack-for-hire groups use various methods to pursue their targets, with some openly advertising their services, while other groups solicit business with a more select group of potential clients, according to researchers.
TAG tracked a group of India-based threat actors, some of them with prior experience inside offensive security firms, including Appin and Belltrox. Researchers have linked the former employees to a new firm called Rebsec, which openly advertises corporate espionage.
READ THE STORY: CyberSecurity Dive
Hive Ransomware Upgrades to Rust for More Sophisticated Encryption Method
FROM THE MEDIA: The operators of the Hive ransomware-as-a-service (RaaS) scheme have overhauled their file-encrypting software to fully migrate to Rust and adopt a more sophisticated encryption method.
"With its latest variant carrying several major upgrades, Hive also proves it's one of the fastest evolving ransomware families, exemplifying the continuously changing ransomware ecosystem," Microsoft Threat Intelligence Center (MSTIC) said in a report on Tuesday. Hive, which was first observed in June 2021, has emerged as one of the most prolific RaaS groups, accounting for 17 attacks in the month of May 2022 alone, alongside Black Basta and Conti.
READ THE STORY: THN
Researchers Share Techniques to Uncover Anonymized Ransomware Sites on Dark Web
FROM THE MEDIA: Cybersecurity researchers have detailed the various measures ransomware actors have taken to obscure their true identity online as well as the hosting location of their web server infrastructure.
"Most ransomware operators use hosting providers outside their country of origin (such as Sweden, Germany, and Singapore) to host their ransomware operations sites," Cisco Talos researcher Paul Eubanks said. "They use VPS hop-points as a proxy to hide their true location when they connect to their ransomware web infrastructure for remote administration tasks."
READ THE STORY: THN
Billion-record stolen Chinese database for sale on breach forum
FROM THE MEDIA: A threat actor has taken to a forum for news and discussion of data breaches with an offer to sell what they assert is a database containing records of over a billion Chinese civilians – allegedly stolen from the Shanghai Police. Over the weekend, reports started to surface of a post to a forum at Breached.to. The post makes the following claim: In 2022, the Shanghai National Police (SHGA) database was leaked. This database contains many TB of data and information on Billions of Chinese citizens.
READ THE STORY: The Register
AstraLocker Ransomware Shuts Down Operations, Plans to Go for Cryptojacking Instead
FROM THE MEDIA: Bleepingcomputer, citing threat intelligence firm ReversingLabs, reported that Compared to other ransomware strains, AstraLocker used a rather unconventional way to encrypt the devices of its victims. This is because, instead of first compromising the device, the AstraLocker operator would simply send the infected Microsoft Word documents as email attachments, releasing the payloads undetected.
Documents that conceal an OLE object with the ransomware payload that will be released if the target clicks Run in the warning dialog displayed upon opening the document are the lures used in AstroLocker attacks.
READ THE STORY: ITech Post
Microsoft quietly fixes ShadowCoerce Windows NTLM Relay bug
FROM THE MEDIA: Microsoft has confirmed it fixed a previously disclosed 'ShadowCoerce' vulnerability as part of the June 2022 updates that enabled attackers to target Windows servers in NTLM relay attacks.
This NTLM relay attack method can be used by threat actors to force unpatched servers to authenticate against servers under the attacker's control, leading to a takeover of the Windows domain. As BleepingComputer was told by a Microsoft spokesperson, while there was no public announcement made regarding this issue, the "MS-FSRVP coercion abuse PoC aka 'ShadowCoerce' was mitigated with CVE-2022-30154, which affected the same component."
READ THE STORY: BleepingComputer
LockBit explained: How it has become the most popular ransomware
FROM THE MEDIA: LockBit is one of the most prominent ransomware-as-a-service (RaaS) operations that has targeted organizations over the past several years. Since its launch in 2019, LockBit has constantly evolved, seeing unprecedented growth recently driven by other ransomware gangs disbanding.
The LockBit creators sell access to the ransomware program and its infrastructure to third-party cybercriminals known as affiliates who break into networks and deploy it on systems for a cut of up to 75% of the money paid by victims in ransoms. Like most similar RaaS gangs, LockBit engages in double extortion tactics where its affiliates also exfiltrate data out of victim organizations and threaten to publish it online.
READ THE STORY: CSO ONLINE
Justice Department identifies disrupting ransomware and cyberattacks as key objective in new strategic plan
FROM THE MEDIA: The Department of Justice said Friday that it will make disrupting ransomware attacks and prosecuting cybercriminals a key objective as part of a new strategic plan. In a statement, the department said it intends to beef up its cybersecurity technological capabilities and to more aggressively pursue those who put U.S. government information or assets at risk.
READ THE STORY: FEDSCOOP
MedusaLocker ransomware gang warning issued by feds
FROM THE MEDIA: The FBI, the Cybersecurity and Infrastructure Security Agency, the Financial Crimes Enforcement Network, and the Department of the Treasury have issued a joint warning regarding the MedusaLocker ransomware operation's mounting exploitation of vulnerable Microsoft Remote Desktop Protocol configurations to infiltrate target networks since May, ZDNet reports.
Upon initial access, MedusaLocker has been distributing a PowerShell script to facilitate network-wide ransomware spread, as well as leveraging the SMB file-sharing protocol for attached storage detection, according to the advisory. MedusaLocker then proceeds to jumpstart the LanmanWorkstation service to enable activation of registry edits; kill security software processes; encrypt victim files using the AES-256 encryption algorithm; maintain persistence; and avert standard recovery methods, said the feds, who also noted MedusaLocker's ransomware-as-a-service model.
READ THE STORY: SC MAG
TSA Implements 'Surge Team' to Allow Pipeline Industry Flexibility on Security Directives
FROM THE MEDIA: The Department of Homeland Security’s Transportation Security Administration has added to its roster of cybersecurity professionals in efforts to relax security requirements the agency issued for pipeline owners and operators following a landmark ransomware attack.
According to a factsheet DHS shared with Nextgov describing the agency’s plans to secure the pipeline industry from cyberattack, TSA has been inundated with an unprecedented number of requests—380—from entities covered by a pair of directives the agency issued after Colonial Pipeline shut down operations in connection with a ransomware attack last May.
READ THE STORY: NEXTGOV
Near-undetectable malware linked to Russia's Cozy Bear
FROM THE MEDIA: Palo Alto Networks' Unit 42 threat intelligence team has claimed that a piece of malware that 56 antivirus products were unable to detect is evidence that state-backed attackers have found new ways to go about the evil business.
Unit 42's analysts assert that the malware was spotted in May 2022 and contains a malicious payload that suggests it was created using a tool called Brute Ratel (BRC4). On its rather brazen website, BRC4 is described as "A Customized Command and Control Center for Red Team and Adversary Simulation". The tool's authors even claim they reverse-engineered antivirus software to make BRC4 harder to detect.
READ THE STORY: The Register
The Ukraine war could provide a cyberwarfare manual for Chinese generals eyeing Taiwan
FROM THE MEDIA: Military leaders around the world are closely watching Russia’s invasion of Ukraine, which just entered its fifth month, but perhaps none more than those in China are tracking the intricacies of Russia’s cyberattacks designed to further cripple Kyiv. Cybersecurity experts and China observers who spoke to CyberScoop strongly believe that Beijing’s military leaders are learning from Russia’s approach to cyberspace — missteps and all — during the Ukraine conflict. There are implications not only for the U.S., but for China’s neighbor Taiwan, which a U.S. official said in 2021 could be subject to a Chinese invasion in the next six years.
READ THE STORY: CyberScoop
Abortion disinformation is growing and dangerously divisive, experts say
FROM THE MEDIA: Rep. Marjorie Taylor Greene’s Twitter account struck an urgent tone the Sunday after the Supreme Court’s historic abortion ruling. She implored her 968,000 followers to have the “fortitude to act” against Department of Defense leaders for refusing to recognize the court’s decision, which eliminates the constitutional right to an abortion. But DOD leaders never stated they would ignore the court’s ruling in the Dobbs v. Jackson case.
READ THE STORY: CyberScoop
Items of interest
Chinese Espionage Links Uncovered In India While Probing Money Laundering
FROM THE MEDIA: Recent evidence suggests that Chinese corporations are being used as arms of the Chinese state for espionage.
Money laundering allegations: The Chinese mobile manufacturer Vivo is being investigated by the ED in a money laundering case.
A total of 44 locations have been raided by the ED under the provisions of the Prevention of Money Laundering Act.
The ED has already passed an order freezing Xiaomi India's bank assets worth over Rs 5,500 crore.
The espionage angle: The Union government has been busting spy rings, studying incoming Chinese investments into India, carrying out tax raids on major Chinese telecom companies, and cracking down on Chinese mobile apps since 2020.
Raids have been carried out on firms like ZTE and Huawei, apart from Vivo and Xiaomi.
The availability of cheap and even underpriced products from these firms has given them significant market share in India.
Several Chinese companies are being probed for profiling 'high value' individuals, exfiltrating bulk data, and engaging in large-scale tax evasion.
Their goal seems to be to gain a strategic advantage over India's economic and security systems.
There are hundreds of small Chinese companies, a web controlled by Chinese nationals with dummy Indian directors and managers, to provide a veil of legitimacy, an Economic Times (ET) report says.
A probe by the Registrar of Companies revealed that these companies did not physically exist at their registered offices, although the bank accounts were active. They were being operated from abroad.
According to the ET report, "The web of these companies is believed to have laundered over Rs 1,000 crore, with some of the proceeds used to gather intelligence in India."
Influencing Tibetans: One such company was used to influence Tibetan monks living in India.
Luo Sang, a Chinese national, was arrested in 2020. He was sending money in packets to Tibetan monks.
The Government of India suspects that the money was provided to Tibetan monks to gather information about the Dalai Lama and the Tibetan government-in-exile.
Findings: It was found that senior employees of some of these companies are members of the Chinese Communist Party.
In one case, it was discovered that the CEO of a major telecom firm possessed sensitive documents.
In another, a deep profile of an Indian business leader of interest to China was discovered.
Chinese-origin mobile phones were found to have a seamless data link with China.
Indians' data collected via these devices, such as fingerprints and selfies, has helped China acquire biometric details of millions of Indians.
READ THE STORY: Swarajya MAG
Will the Next World War Be Cyber? (Video)
FROM THE MEDIA: For years, experts have predicted that the next major conflict would take place inside our computers, rather than on physical battlefields. But the initial months of Russia's war in Ukraine have seen a surprising absence of cyber warfare — or has it? What’s the real role digital attacks have played in that war, and what have we learned about how cyber war works — and doesn’t — from the conflict in Eastern Europe? What lessons should we be thinking about for the future of geopolitics, cybersecurity, and the safety of our everyday digital lives?
A Brief History of Lies: Government Deception from Watergate to Today (Video)
FROM THE MEDIA: Fifty years ago, the nation was (gradually, then suddenly) rocked by revelations of dirty tricks in what became known as the Watergate scandal. But it wasn’t the first time that our government deceived its citizens, and it certainly wasn’t the last. From false narratives promoting war to deliberate lies meant to undermine elections, has deception come to be seen as a legitimate political tool? And is there any way for us to stop it?
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com